US20080209557A1 - Spyware detection mechanism - Google Patents
Spyware detection mechanism Download PDFInfo
- Publication number
- US20080209557A1 US20080209557A1 US11/680,136 US68013607A US2008209557A1 US 20080209557 A1 US20080209557 A1 US 20080209557A1 US 68013607 A US68013607 A US 68013607A US 2008209557 A1 US2008209557 A1 US 2008209557A1
- Authority
- US
- United States
- Prior art keywords
- list
- processes
- modules
- malware
- resultant
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/564—Static detection by virus signature recognition
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Definitions
- spyware is computer software that collects personal information (e.g., passwords, Personal Identification Numbers (PINs), Social Security information, bank account, credit card and other ancillary financial details, etc.) about individuals without their consent.
- personal information e.g., passwords, Personal Identification Numbers (PINs), Social Security information, bank account, credit card and other ancillary financial details, etc.
- spyware is software that monitors user behavior, or gathers information about the user that can include personally identifiable or other sensitive information, through an executable program, deployed without adequate notice, consent, or control for the user.
- spyware can be thought of as potentially unwanted technologies deployed without appropriate user consent and/or implemented in ways that impair user control over, for example, material changes that affect their experience, privacy, or system security; use of their system resources, including programs installed on their computers; and/or collection, use, and distribution of their personal or other sensitive information.
- adware programs that cause advertising content to be delivered and displayed potentially in a manner or context that can be unexpected or unwanted by users, has also become a prevalent feature of the modern computing experience.
- the claimed subject matter in one aspect relates to a machine implemented system that detects malware secreted and/or hidden in plain sight on the machine.
- the system includes a detection component that can generate lists of all the modules loaded on the machine and thereafter can identify from the generated list a sub-set of modules common to more than a threshold number of processes.
- the system having identified the sub-set of modules extant in more than a threshold number of processes can utilize this subset to further thin the list by eliminating modules that are included in authentication lists supplied either by application software developers and/or by verified third-party software authenticators.
- the filtered list can then be prioritized based, for example, on a number of occurrences a particular module makes in the list, and thereafter the filtered and prioritized list can be forwarded to an analyst for further attention and investigation.
- the claimed subject matter can measure whether any version of DLL injection is being used on a machine by measuring, for example, the intersection on non-white listed DLLs across all processes, across all processes that have accepted a certain event, such as a keystroke, and by measuring whether any module ends up injected into a honey pot (e.g. a process implemented to look more vulnerable than it truly is, and to keep records of everything that happens to it) version of a common process. Additionally, the claimed subject matter can measure whether any non-whitelisted process consistently consumes resources between successive events, such as, for example, repeated keystrokes. Response to these measurements can be used together with other measurements as input to a prioritization component that decides which of a larger number of suspected malware samples is most in need of an analysts attention.
- a certain event such as a keystroke
- measurements can be made on the PCs of many diverse users who happen to have suspected malware installed on their machines, wherein the measurements can be reported to a prioritization component that aggregates the information before prioritizing for dissemination to analysts.
- suspected malware can be placed in a controlled environment (e.g., an emulator, a virtual machine, etc.) for study, measurements obtained from various tests carried out on the suspected malware samples, and results passed to a prioritization component that can convey prioritized lists of suspected malware to an analysts workstation for further examination.
- a controlled environment e.g., an emulator, a virtual machine, etc.
- FIG. 1 illustrates a malware detection system in accordance with the claimed subject matter.
- FIG. 2 provides a more detailed depiction of a detection component in accordance with one aspect of the claimed subject matter.
- FIG. 3 provides a more detailed illustration of analysis component in accordance with the disclosed subject matter.
- FIG. 4 illustrates a system that employs intelligence to facilitate detection of malware in accordance with aspect of the disclosed subject matter.
- FIG. 5 provides an illustrative view of application and/or memory space assigned to applications and processes in accordance with an aspect of the claimed subject matter.
- FIG. 6 illustrates a flow diagram of a methodology that effectuates detection of malware executing on a machine in accordance with an aspect of the claimed subject matter.
- FIG. 7 provides a further methodology for detection of malware executing on a machine in accordance with an aspect of the claimed subject matter.
- FIG. 8 provides a further methodology for detection of malware executing on a machine in accordance with a further aspect of the claimed subject matter.
- FIG. 9 provides yet a further methodology for detection of malware executing on a machine in accordance with an aspect of the claimed subject matter.
- FIG. 10 depicts a methodology for detection of malware active on a machine in accordance with a further aspect of the subject matter as claimed.
- FIG. 11 illustrates a block diagram of a computer operable to execute the spyware detection architecture.
- FIG. 12 illustrates a schematic block diagram of an exemplary computing environment for processing the spyware detection architecture in accordance with another aspect.
- Malware e.g., spyware, adware, crimeware, fraudware, viruses, worms, and the like
- Malware generally attempts to conceal itself.
- malware authors go to great lengths to conceal the presence of their creations and more particularly the fact that such code is executing.
- a user can instantiate a system utility (e.g., Task Manager, Process Manager, Session Manager, etc.) to investigate active processes, threads, applications, and programs. Such investigation can reveal processes that the user does not recognize and as such provide indication that these processes might be malware.
- a system utility e.g., Task Manager, Process Manager, Session Manager, etc.
- malware authors go to considerable lengths to ensure that their version of malware is concealed and is virtually undetectable by the uninitiated.
- malware typically does not openly execute as “eventlogger.exe”, “malware.exe”, “spyware.exe”, “adware.exe”, and/or “crimeware.exe” per se.
- the malware author is careless, it is highly improbable that casual perusal of the system utility will expose the existence of operative malware.
- DLL Dynamic Link Library
- a malicious process called “keylogger.exe” can launch a thread, but instead of the thread being associated with “keylogger.exe”, the thread masquerades as belonging to legitimate process “legitimate.exe”.
- Malicious process “keylogger.exe” once it has accomplished its goal of launching its thread can vanish, but the thread initiated by “keylogger.exe” remains active but hidden since it is inside another, potentially legitimate, process—effectively spying on the user's activities with regard to other legitimately running processes and applications.
- legitimate process “legitimate.exe” now has an extraneous parasitic thread associated with it that the user has little or no ability to detect.
- legitimate process “legitimate.exe” may typically execute with between 20 and 30 threads and it is unlikely that an average user would be able to detect that an additional thread is present.
- DLL injection There are a number of methods of accomplishing DLL injection, the principle one being to attach to every process that loads certain modules.
- processes commence execution they can load a plethora of disparate DLLs.
- Many of the DLLs that are loaded are system and user interface (e.g. Graphical User Interface) files, such as kernel32, user32, and the like.
- Authors of malicious processes and/or software can utilize this fact to associate malicious processes and/or software with these commonly loaded DLLs so that whenever a process calls one of these commonly loaded DLLs an instance of the parasitic process is loaded as well.
- a legitimate process of its own accord loads a commonly loaded DLL it unwittingly causes the malicious process (or repeated instances of the malicious process) to be introduced into the system unbidden and unasked.
- Another technique for accomplishing DLL injection is for the malicious process to attach on particular common events (e.g., keystrokes, mouse clicks, right-mouse clicks, left-mouse clicks, etc.). For example, when a legitimate process accepts a keystroke, then the process that has a window open that accepted the keystroke will have associated thereto an instance of the malicious process DLL.
- DLL Dynamic Language
- event handlers e.g.
- a further method for accomplishing malicious process insertion targets specific processes wherein the author of malicious software and/or processes creates a thread executing in a particular legitimate process. This is a very targeted and selective approach in that the malicious process thread typically only runs in the specific process to which it is directed.
- the benefit to the author of malicious software and/or processes is that the malicious process code has a much lower footprint; better to avoid detection and achieve stealth.
- the author generally targets a process and/or application that is typically beyond reproach and that have a fairly high probability of being executed on a continuous and/or periodic basis. Having identified such an application and/or process, the author inserts a single thread into the identified application and/or process.
- FIG. 1 illustrates a malware detection system 100 that continuously, dynamically and automatically oversees, individually and/or collectively, a first processor 110 1 , a second processor 110 2 , through to an Nth processor 110 N , N being an integer greater than or equal to one.
- the first processor 110 1 , the second processor 110 2 , through to the Nth processor 110 N can be referred to collectively as processors 110 .
- Processors 110 can be in operative and continuous communication with detection component 130 via communication medium 120 .
- Processors 110 can include any industrial, commercial, and/or consumer machinery with embedded, affiliated, associated and/or encapsulated processors, such as industrial automation devices, computing devices (e.g., laptops, note book computers, Personal Digital Assistants (PDAs), . . .
- PDAs Personal Digital Assistants
- Processors 110 can include those of users who run a particular piece of software or participate in a particular network. Additionally, processors 110 can have associated storage, memory, etc. Further, communication medium 120 can include Ethernet, Wireless Ethernet, Wi-Fi, satellite based technologies, and the like.
- Detection component 130 continuously monitors processors 110 to detect the existence of malicious processes (e.g., spyware, adware, crimeware, fraudware, viruses, etc.). Detection component 130 can upon detecting evidence of malicious processes can analyze the instance that raised the alarm to determine with certitude whether the instance constitutes malware, and if so can direct a notification to an analyst who investigates the issue further. Additionally and/or alternatively, detection component 130 can aggregate and/or classify the instances of detected malware and provide a prioritized report (e.g., flagging and ordering those items of detected malware which pose the greatest risk to the smooth running of the machine) to the analyst for further investigation and/or remedial measures. Moreover, detection component 130 can also, if necessary, generate and create remedial signature files for dissemination to processors 110 in order to curtail the continued operation of malware on processors 110 .
- malicious processes e.g., spyware, adware, crimeware, fraudware, viruses, etc.
- Detection component 130 can upon detecting evidence of malicious processes can analyze
- FIG. 2 provides a more detailed depiction 200 of detection component 130 .
- detection component 130 can include interface 210 that receives data related to processes, applications, threads and DLLs loaded and executed by processors 110 .
- Interface 210 can further disseminate notifications, by way of, for example, prioritized reports, color coded lists, etc., to analyst workstations for further investigation by human intermediaries.
- interface 210 can trigger one or more automated responses and/or code execution. For example, if particular malicious processes have been detected in the past, interface component 210 can issue a set of commands and/or present a dialog box on further detection of the same or a similar malicious process.
- interface 210 conveys such data to analysis component 220 that peruses all loaded modules executing in memory space associated with processors 110 and identifies modules that may warrant further attention.
- analysis component 220 can persist copies of code associated with identified modules in store 240 .
- analysis component 220 can communicate information associated with the identification to notification component 230 .
- Notification component 230 on receipt of the information from analysis component 220 can automatically and immediately generate a report (e.g. notification) that can be immediately forward to analysts workstations for further analysis by human intermediaries.
- notification component 230 can generate the report on periodic basis (e.g., once a month, once a week, once a day, twice a day, every four hours, etc.) wherein it is to be understood in this aspect that notification component 230 retrieves information previously and/or contemporaneously persisted by analysis component 220 in store 240 and thereafter generates the necessary notifying report.
- periodic basis e.g., once a month, once a week, once a day, twice a day, every four hours, etc.
- FIG. 3 provides a more detailed illustration 300 of analysis component 220 in accordance with an aspect of the claimed subject matter.
- Analysis component 220 can include listing component 310 , elimination component 320 and prioritization component 330 .
- Listing component 310 obtains from processors 110 (not shown) a list of all active DLLs that are loaded in more than a threshold number (the threshold number being previously or contemporaneously supplied by human intermediary or dynamically established through use of artificial intelligence) of processes.
- a threshold number being previously or contemporaneously supplied by human intermediary or dynamically established through use of artificial intelligence
- the application can load many DLLs that can be written, for instance, by the application vendor/manufacturer, operating system supplier, parties that specialize in providing legitimate third-party add-ins, etc.
- processes and applications will have some DLLs loaded that are specific to the process and application (e.g., written specifically by the particular application developers) and some DLLs that are common to many applications and processes (e.g., those provided by the operating system to effectuate common system tasks employed by many processes and applications).
- listing component 310 in one aspect generates lists of all active DLLs that are loaded in more than a threshold number of processes. For example and with reference to FIG. 5 , if three applications from different application vendors (e.g., A, I, and Q) are loaded into a particular processors memory and/or application space, listing component 310 can ascertain from the total list of loaded DLLs the set of common DLLs (e.g., Z as illustrated in FIG. 5 ) that are being utilized by all three executing applications. In other words, listing component 310 identifies the list of common DLLs that reside at the intersection of each of the respective memory spaces allocated to each application.
- A, I, and Q application vendors
- modules that are unique to application A will not appear in the intersection list, similarly modules specific to applications I and Q also will not appear in the intersection list. Only modules that are common to all three of the illustrative applications will be identified by listing component 310 as being worthy of further review and analysis.
- elimination component 320 that in conjunction with one or more white list (e.g. lists of modules provided by application vendors and/or other verifying or certifying bodies the authenticity of which is beyond reproach) eliminates those modules from the list that are known to be good (e.g., modules are eliminated based on the fact that they appear in the one or more white lists).
- Elimination component 320 can ascertain that a module in the list of common modules corresponds with items supplied on the white list by comparing a cryptographic hash, such as MD5 or SHA-1, of the file with the hash of files known to be good on the white list, for example.
- Prioritization component 330 on receipt of the reduced list can provide a ranking (e.g., based on how detrimental the perceived threat from the module might be, based on the number of times a particular module finds its way onto the list, etc.) for use by notification component 230 (See FIG. 2 ).
- Prioritization component 330 additionally can accept input and measurements from many other sources of data 340 . For example, in addition to DLL injection, measurement of other system resources used by software can be valuable to prioritization component 330 .
- Measurements can include, for instance, registry keys written, read, and/or altered by software, files that are accessed and/or modified, etc. Measurements can be made on PCs of diverse users who happen to have the suspected malware installed and reports can be sent to a centralized prioritization component. Alternatively and/or additionally measurements can be made in a laboratory environment. In addition, prioritization component 330 can attach meta-data, or a report to each suspected malware sample that is processed. For example, the presence of DLL injection can be useful to a human analyst who will examine the sample and possibly compile anti-virus signatures as a response to the detected DLL injection.
- FIG. 4 illustrates a system 400 that employs intelligence to facilitate detection of malware.
- the system 400 can include analysis component 220 and notification component 230 , which can be substantially similar to respective components, services, network services, interfaces, and interface components described in previous figures.
- System 400 further includes an intelligent component 410 .
- the intelligent component 410 can be utilized by both analysis component 220 and notification component 230 to facilitate accurately detecting, identifying and classifying malware and to further provide appropriate notifications to analysts.
- the intelligent component 410 can infer and classify malware based on previously persisted signatures as being either benign or malignant or inimical to the smooth and secure running of processors 110 , etc.
- intelligence component 410 can employ persisted behaviors associated with previously classified malware to refine and/or vary the definitional norm for execution of various legitimate software (e.g., application and/or operating system software) and based at least in part upon these refinements and/or variations detect abnormalities of operation in such legitimate software.
- legitimate software e.g., application and/or operating system software
- the intelligent component 410 can provide for reasoning about or infer states of the system, environment, and/or user from a set of observations as captured via events and/or data. Inference can be employed to identify a specific context or action, or can generate a probability distribution over states, for example.
- the inference can be probabilistic—that is, the computation of a probability distribution over states of interest based on a consideration of data and events.
- Inference can also refer to techniques employed for composing higher-level events from a set of events and/or data. Such inference results in the construction of new events or actions from a set of observed events and/or stored event data, whether or not the events are correlated in close temporal proximity, and whether the events and data come from one or several event and data sources.
- classification explicitly and/or implicitly trained
- schemes and/or systems e.g. support vector machines, neural networks, expert systems, Bayesian belief networks, fuzzy logic, data fusion engines . . .
- fuzzy logic e.g., fuzzy logic, data fusion engines . . .
- Such classification can employ a probabilistic and/or statistical-based analysis (e.g., factoring into the analysis utilities and costs) to infer an action that a user desires to be automatically performed.
- a support vector machine (SVM) is an example of a classifier that can be employed. The SVM operates by finding a hypersurface in the space of possible inputs, which hypersurface attempts to split the triggering criteria from the non-triggering events.
- Other directed and undirected model classification approaches include, e.g., naive Bayes, Bayesian networks, decision trees, neural networks, fuzzy logic models, and probabilistic classification models providing different patterns of independence can be employed.
- Classification as used herein also is inclusive of statistical regression that is utilized to develop models of priority.
- program modules can include routines, programs, objects, data structures, etc. that perform particular tasks or implement particular abstract data types.
- functionality of the program modules may be combined and/or distributed as desired in various aspects.
- FIG. 6 illustrates a methodology 600 for detecting malware executing on a machine.
- Method 600 commences at 602 where various and sundry processor initializations tasks and background activities are performed at which point the method proceeds to 604 .
- the method lists all modules that have been loaded into a particular processors application and/or memory space.
- the method refines the lists by filtering out modules that are specific to a single application or process.
- the method eliminates modules that appear on white lists provided by application manufactures and/or reliable independent certification agencies.
- the remaining items on the list are prioritized and/or amalgamated with other lists that can have been previously generated to provide a report of modules whose provenance is questionable.
- the method progresses to 612 wherein the prioritized, sorted and/or amalgamated list is disseminated to analyst workstations for further investigation by human analysts.
- FIG. 7 provides a further methodology 700 for detection of malware executing on a machine in accordance with an aspect of the claimed subject matter.
- Method 700 commences at 702 wherein initialization and background activities are performed.
- the method produces a list of all modules that have been loaded into the application and/or memory space of a particular processor.
- the initial generated list is trimmed by eliminating modules from the list that are specific to a particular application (e.g., those modules that are not employed by more than a threshold number of processes).
- the method further trims the list by eliminating modules that are included in white lists (or verification lists) obtained from software suppliers, application software providers, trusted third party certification agencies, and the like.
- those items that remain on the trimmed list are categorized, prioritized and/or amalgamated with other lists that can have been previously generated to provide a report of modules whose provenance is questionable.
- the questionable provenance of modules can be based at least in part on software code that initiated the module to load (e.g., known applications, operating system components, websites whose reputations are known, unknown, or known to be bad, etc.)
- the method progresses to 712 wherein the prioritized, categorized and/or amalgamated list is disseminated to analyst workstations for further investigation by human analysts.
- the method can, with input from an artificial intelligence engine and/or human analysts, dynamically and automatically generate a signature file (e.g. for use in detection of subsequent malware and/or mutations thereof) for use in countering instances of malware that are surreptitiously implemented on a particular machine and/or processor.
- a signature file e.g. for use in detection of subsequent malware and/or mutations thereof
- FIG. 8 provides a further methodology 800 for detection of malware executing on a machine in accordance with a further aspect of the claimed subject matter.
- multiple background initialization and activities are performed whereupon method 800 proceeds to 804 where a list of all modules resident in application memory space is generated.
- the initial list generated at 804 is truncated by focusing on modules that are common to more than a threshold number (e.g., the threshold number dynamically and automatically determined in conjunction with an artificial intelligence attribute and/or supplied by human intermediaries) of processes and where the module has associated a process that has accepted at least one event in the immediate past.
- a threshold number e.g., the threshold number dynamically and automatically determined in conjunction with an artificial intelligence attribute and/or supplied by human intermediaries
- the method identifies, in conjunction with authentication lists obtained and/or supplied from one or more external sources (e.g., application developer, pre-analysis of source by independent third party authenticators, periodic updates from authenticated application source vendor, etc.) and/or dynamically generated by an artificial intelligence component, modules that are consonant with the obtained and/or supplied authentication lists.
- external sources e.g., application developer, pre-analysis of source by independent third party authenticators, periodic updates from authenticated application source vendor, etc.
- an artificial intelligence component modules that are consonant with the obtained and/or supplied authentication lists.
- modules that still remain e.g., modules requiring further scrutiny
- Prioritization can take one or more of the following forms.
- Identified modules can be associated with an ordered list (e.g., the order established based at least in part on the number of times that an instance of the module has been detected within a fixed and/or arbitrary period of time, the number of times that an instance of the module has been aggregated from multiple machines, etc.), color coded list (e.g., red, amber, yellow, blue, green, and/or variants thereof), tagged with a criticality flag (e.g., critical, severe, substantial, moderate, low, etc.), and the like.
- the prioritized resultant list can, at 812 , be subject to dissemination to analyst workstations for further examination and possible resolution by a human intermediary and/or an artificial intelligence component.
- FIG. 9 provides yet a further methodology 900 for detection of malware executing on a machine in accordance with an aspect of the claimed subject matter.
- initialization processes take place after which method 900 proceeds to 904 .
- a “honey pot” process e.g. a process that mimics a process to which malware might attach
- a “honey pot” process can be created and instantiated as an instance of Internet Explorer, wherein the “honey pot” process mimics some of the functionality associated with Internet Explorer.
- the “honey pot” process merely mimics the functionality of Internet Explorer but does not necessarily provide the full suite of functionality typically associated with Internet Explorer.
- an analyst initiating the “honey pot” process is aware of the limited number of modules associated with the “honey pot” process (e.g., the analyst will be aware that the total number of modules that should be loaded equals 10). Consequently, when the “honey pot” process is loaded and investigation reveals that 11 modules were loaded, the analyst can deduce that the 11 th module might be associated with malware and as such can be cause for concern since the “honey pot” process itself does not have, for example, the full set extensibility and plug-in modules loaded. Accordingly, at 906 the method monitors the list and number of processes that co-exist with the “honey pot” process.
- modules and/or processes that appear in authentication are removed from the list of modules being monitored.
- the resultant list of remaining modules and/or processes is prioritized in manners described supra.
- the method commences to distribute the prioritized list to analysts for further examination and possible resolution by a human intermediary and/or an artificial intelligence component.
- FIG. 10 depicts a methodology 1000 for detection of malware active on a machine in accordance with a further aspect of the subject matter as claimed.
- malware authors execute malware code openly in the task list by innocuously naming the executing malware code (e.g., plugin_helper.exe, etc.) to masquerade the true nature of the malware code and to avoid suspicion.
- an event logger e.g., key-logger
- code is generated and executed (e.g., code could be implemented to add the occurring event to a buffer for future use, etc.).
- processes that do not consume resources between a first threshold number of events can be eliminated.
- processes that have not been removed from the list after a second threshold (or a set point) are processes that have serially consumed resources and thus need further investigation.
- the list is prioritized and delivered to an analyst workstation for further examination and possible resolution by a human intermediary and/or an artificial intelligence component.
- each component of the system can be an object in a software routine or a component within an object.
- Object oriented programming shifts the emphasis of software development away from function decomposition and towards the recognition of units of software called “objects” which encapsulate both data and functions.
- Object Oriented Programming (OOP) objects are software entities comprising data structures and operations on data. Together, these elements enable objects to model virtually any real-world entity in terms of its characteristics, represented by its data elements, and its behavior represented by its data manipulation functions. In this way, objects can model concrete things like people and computers, and they can model abstract concepts like numbers or geometrical concepts.
- object technology arises out of three basic principles: encapsulation, polymorphism and inheritance.
- Objects hide or encapsulate the internal structure of their data and the algorithms by which their functions work. Instead of exposing these implementation details, objects present interfaces that represent their abstractions cleanly with no extraneous information.
- Polymorphism takes encapsulation one-step further—the idea being many shapes, one interface.
- a software component can make a request of another component without knowing exactly what that component is. The component that receives the request interprets it and figures out according to its variables and data how to execute the request.
- the third principle is inheritance, which allows developers to reuse pre-existing design and code. This capability allows developers to avoid creating software from scratch. Rather, through inheritance, developers derive subclasses that inherit behaviors that the developer then customizes to meet particular needs.
- an object includes, and is characterized by, a set of data (e.g., attributes) and a set of operations (e.g. methods), that can operate on the data.
- a set of data e.g., attributes
- a set of operations e.g. methods
- an object's data is ideally changed only through the operation of the object's methods.
- Methods in an object are invoked by passing a message to the object (e.g., message passing). The message specifies a method name and an argument list.
- code associated with the named method is executed with the formal parameters of the method bound to the corresponding values in the argument list.
- Methods and message passing in OOP are analogous to procedures and procedure calls in procedure-oriented software environments.
- Encapsulation provides for the state of an object to only be changed by well-defined methods associated with the object. When the behavior of an object is confined to such well-defined locations and interfaces, changes (e.g., code modifications) in the object will have minimal impact on the other objects and elements in the system.
- Each object is an instance of some class.
- a class includes a set of data attributes plus a set of allowable operations (e.g., methods) on the data attributes.
- OOP supports inheritance—a class (called a subclass) may be derived from another class (called a base class, parent class, etc.), where the subclass inherits the data attributes and methods of the base class.
- the subclass may specialize the base class by adding code which overrides the data and/or methods of the base class, or which adds new data attributes and methods.
- inheritance represents a mechanism by which abstractions are made increasingly concrete as subclasses are created for greater levels of specialization.
- a component can be, but is not limited to being, a process running on a processor, a processor, a hard disk drive, multiple storage drives (of optical and/or magnetic storage medium), an object, an executable, a thread of execution, a program, and/or a computer.
- a component can be, but is not limited to being, a process running on a processor, a processor, a hard disk drive, multiple storage drives (of optical and/or magnetic storage medium), an object, an executable, a thread of execution, a program, and/or a computer.
- an application running on a server and the server can be a component.
- One or more components can reside within a process and/or thread of execution, and a component can be localized on one computer and/or distributed between two or more computers.
- Artificial intelligence based systems can be employed in connection with performing inference and/or probabilistic determinations and/or statistical-based determinations as in accordance with one or more aspects of the claimed subject matter as described hereinafter.
- the term “inference,” “infer” or variations in form thereof refers generally to the process of reasoning about or inferring states of the system, environment, and/or user from a set of observations as captured via events and/or data. Inference can be employed to identify a specific context or action, or can generate a probability distribution over states, for example. The inference can be probabilistic—that is, the computation of a probability distribution over states of interest based on a consideration of data and events.
- Inference can also refer to techniques employed for composing higher-level events from a set of events and/or data. Such inference results in the construction of new events or actions from a set of observed events and/or stored event data, whether or not the events are correlated in close temporal proximity, and whether the events and data come from one or several event and data sources.
- Various classification schemes and/or systems e.g., support vector machines, neural networks, expert systems, Bayesian belief networks, fuzzy logic, data fusion engines . . .
- computer readable media can include but are not limited to magnetic storage devices (e.g., hard disk, floppy disk, magnetic strips . . . ), optical disks (e.g., compact disk (CD), digital versatile disk (DVD) . . . ), smart cards, and flash memory devices (e.g., card, stick, key drive . . . ).
- magnetic storage devices e.g., hard disk, floppy disk, magnetic strips . . .
- optical disks e.g., compact disk (CD), digital versatile disk (DVD) . . .
- smart cards e.g., card, stick, key drive . . .
- a carrier wave can be employed to carry computer-readable electronic data such as those used in transmitting and receiving electronic mail or in accessing a network such as the Internet or a local area network (LAN).
- LAN local area network
- FIG. 11 there is illustrated a block diagram of a computer operable to execute the disclosed malware detection system.
- FIG. 11 and the following discussion are intended to provide a brief, general description of a suitable computing environment 1100 in which the various aspects of the claimed subject matter can be implemented. While the description above is in the general context of computer-executable instructions that may run on one or more computers, those skilled in the art will recognize that the subject matter as claimed also can be implemented in combination with other program modules and/or as a combination of hardware and software.
- program modules include routines, programs, components, data structures, etc., that perform particular tasks or implement particular abstract data types.
- inventive methods can be practiced with other computer system configurations, including single-processor or multiprocessor computer systems, minicomputers, mainframe computers, as well as personal computers, hand-held computing devices, microprocessor-based or programmable consumer electronics, and the like, each of which can be operatively coupled to one or more associated devices.
- Computer-readable media can be any available media that can be accessed by the computer and includes both volatile and non-volatile media, removable and non-removable media.
- Computer-readable media can comprise computer storage media and communication media.
- Computer storage media includes both volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data.
- Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital video disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer.
- the exemplary environment 1100 for implementing various aspects includes a computer 1102 , the computer 1102 including a processing unit 1104 , a system memory 1106 and a system bus 1108 .
- the system bus 1108 couples system components including, but not limited to, the system memory 1106 to the processing unit 1104 .
- the processing unit 1104 can be any of various commercially available processors. Dual microprocessors and other multi-processor architectures may also be employed as the processing unit 1104 .
- the system bus 1108 can be any of several types of bus structure that may further interconnect to a memory bus (with or without a memory controller), a peripheral bus, and a local bus using any of a variety of commercially available bus architectures.
- the system memory 1106 includes read-only memory (ROM) 1110 and random access memory (RAM) 1112 .
- ROM read-only memory
- RAM random access memory
- a basic input/output system (BIOS) is stored in a non-volatile memory 1110 such as ROM, EPROM, EEPROM, which BIOS contains the basic routines that help to transfer information between elements within the computer 1102 , such as during start-up.
- the RAM 1112 can also include a high-speed RAM such as static RAM for caching data.
- the computer 1102 further includes an internal hard disk drive (HDD) 1114 (e.g., EIDE, SATA), which internal hard disk drive 1114 may also be configured for external use in a suitable chassis (not shown), a magnetic floppy disk drive (FDD) 1116 , (e.g., to read from or write to a removable diskette 1118 ) and an optical disk drive 1120 , (e.g., reading a CD-ROM disk 1122 or, to read from or write to other high capacity optical media such as the DVD).
- the hard disk drive 1114 , magnetic disk drive 1116 and optical disk drive 1120 can be connected to the system bus 1108 by a hard disk drive interface 1124 , a magnetic disk drive interface 1126 and an optical drive interface 1128 , respectively.
- the interface 1124 for external drive implementations includes at least one or both of Universal Serial Bus (USB) and IEEE 1394 interface technologies. Other external drive connection technologies are within contemplation of the claimed subject matter.
- the drives and their associated computer-readable media provide nonvolatile storage of data, data structures, computer-executable instructions, and so forth.
- the drives and media accommodate the storage of any data in a suitable digital format.
- computer-readable media refers to a HDD, a removable magnetic diskette, and a removable optical media such as a CD or DVD, it should be appreciated by those skilled in the art that other types of media which are readable by a computer, such as zip drives, magnetic cassettes, flash memory cards, cartridges, and the like, may also be used in the exemplary operating environment, and further, that any such media may contain computer-executable instructions for performing the methods of the disclosed and claimed subject matter.
- a number of program modules can be stored in the drives and RAM 1112 , including an operating system 1130 , one or more application programs 1132 , other program modules 1134 and program data 1136 . All or portions of the operating system, applications, modules, and/or data can also be cached in the RAM 1112 . It is to be appreciated that the claimed subject matter can be implemented with various commercially available operating systems or combinations of operating systems.
- a user can enter commands and information into the computer 1102 through one or more wired/wireless input devices, e.g. a keyboard 1138 and a pointing device, such as a mouse 1140 .
- Other input devices may include a microphone, an IR remote control, a joystick, a game pad, a stylus pen, touch screen, or the like.
- These and other input devices are often connected to the processing unit 1104 through an input device interface 1142 that is coupled to the system bus 1108 , but can be connected by other interfaces, such as a parallel port, an IEEE 1394 serial port, a game port, a USB port, an IR interface, etc.
- a monitor 1144 or other type of display device is also connected to the system bus 1108 via an interface, such as a video adapter 1146 .
- a computer typically includes other peripheral output devices (not shown), such as speakers, printers, etc.
- the computer 1102 may operate in a networked environment using logical connections via wired and/or wireless communications to one or more remote computers, such as a remote computer(s) 1148 .
- the remote computer(s) 1148 can be a workstation, a server computer, a router, a personal computer, portable computer, microprocessor-based entertainment appliance, a peer device or other common network node, and typically includes many or all of the elements described relative to the computer 1102 , although, for purposes of brevity, only a memory/storage device 1150 is illustrated.
- the logical connections depicted include wired/wireless connectivity to a local area network (LAN) 1152 and/or larger networks, e.g., a wide area network (WAN) 1154 .
- LAN and WAN networking environments are commonplace in offices and companies, and facilitate enterprise-wide computer networks, such as intranets, all of which may connect to a global communications network, e.g., the Internet.
- the computer 1102 When used in a LAN networking environment, the computer 1102 is connected to the local network 1152 through a wired and/or wireless communication network interface or adapter 1156 .
- the adaptor 1156 may facilitate wired or wireless communication to the LAN 1152 , which may also include a wireless access point disposed thereon for communicating with the wireless adaptor 1156 .
- the computer 1102 can include a modem 1158 , or is connected to a communications server on the WAN 1154 , or has other means for establishing communications over the WAN 1154 , such as by way of the Internet.
- the modem 1158 which can be internal or external and a wired or wireless device, is connected to the system bus 1108 via the serial port interface 1142 .
- program modules depicted relative to the computer 1102 can be stored in the remote memory/storage device 1150 . It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers can be used.
- the computer 1102 is operable to communicate with any wireless devices or entities operatively disposed in wireless communication, e.g., a printer, scanner, desktop and/or portable computer, portable data assistant, communications satellite, any piece of equipment or location associated with a wirelessly detectable tag (e.g., a kiosk, news stand, restroom), and telephone.
- any wireless devices or entities operatively disposed in wireless communication e.g., a printer, scanner, desktop and/or portable computer, portable data assistant, communications satellite, any piece of equipment or location associated with a wirelessly detectable tag (e.g., a kiosk, news stand, restroom), and telephone.
- the communication can be a predefined structure as with a conventional network or simply an ad hoc communication between at least two devices.
- Wi-Fi Wireless Fidelity
- Wi-Fi is a wireless technology similar to that used in a cell phone that enables such devices, e.g., computers, to send and receive data indoors and out; anywhere within the range of a base station.
- Wi-Fi networks can for example use radio technologies called IEEE 802.11x (a, b, g, etc.) to provide secure, reliable, fast wireless connectivity. Other radio technologies that can also be employed include Bluetooth, RF, and the like.
- a Wi-Fi network can be used to connect computers to each other, to the Internet, and to wired networks (which use IEEE 802.3 or Ethernet).
- Wi-Fi networks can operate in the unlicensed 2.4 and 5 GHz radio bands.
- IEEE 802.11 applies to generally to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS).
- IEEE 802.11a is an extension to IEEE 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5 GHz band.
- IEEE 802.11a uses an orthogonal frequency division multiplexing (OFDM) encoding scheme rather than FHSS or DSSS.
- OFDM orthogonal frequency division multiplexing
- IEEE 802.11b (also referred to as 802.11 High Rate DSSS or Wi-Fi) is an extension to 802.11 that applies to wireless LANs and provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHz band.
- IEEE 802.11g applies to wireless LANs and provides 20+ Mbps in the 2.4 GHz band.
- Products can contain more than one band (e.g., dual band), so the networks can provide real-world performance similar to the basic 10BaseT or 100BaseT wired Ethernet networks used in many offices.
- the system 1200 includes one or more client(s) 1202 .
- the client(s) 1202 can be hardware and/or software (e.g., threads, processes, computing devices).
- the client(s) 1202 can house cookie(s) and/or associated contextual information by employing the claimed subject matter, for example.
- the system 1200 also includes one or more server(s) 1204 .
- the server(s) 1204 can also be hardware and/or software (e.g., threads, processes, computing devices).
- the servers 1204 can house threads to perform transformations by employing the claimed subject matter, for example.
- One possible communication between a client 1202 and a server 1204 can be in the form of a data packet adapted to be transmitted between two or more computer processes.
- the data packet may include a cookie and/or associated contextual information, for example.
- the system 1200 includes a communication framework 1206 (e.g., a global communication network such as the Internet) that can be employed to facilitate communications between the client(s) 1202 and the server(s) 1204 .
- a communication framework 1206 e.g., a global communication network such as the Internet
- Communications can be facilitated via a wired (including optical fiber) and/or wireless technology.
- the client(s) 1202 are operatively connected to one or more client data store(s) 1208 that can be employed to store information local to the client(s) 1202 (e.g., cookie(s) and/or associated contextual information).
- the server(s) 1204 are operatively connected to one or more server data store(s) 1210 that can be employed to store information local to the servers 1204 .
Abstract
Description
- It has become increasingly common for programs known as spyware to eavesdrop on and/or monitor an individual's activity, and report back such activity to the entity that initiated and/or instantiated the spyware. Typically, spyware is computer software that collects personal information (e.g., passwords, Personal Identification Numbers (PINs), Social Security information, bank account, credit card and other ancillary financial details, etc.) about individuals without their consent. In one sense, spyware is software that monitors user behavior, or gathers information about the user that can include personally identifiable or other sensitive information, through an executable program, deployed without adequate notice, consent, or control for the user. Alternatively, spyware can be thought of as potentially unwanted technologies deployed without appropriate user consent and/or implemented in ways that impair user control over, for example, material changes that affect their experience, privacy, or system security; use of their system resources, including programs installed on their computers; and/or collection, use, and distribution of their personal or other sensitive information.
- Additionally, adware, programs that cause advertising content to be delivered and displayed potentially in a manner or context that can be unexpected or unwanted by users, has also become a prevalent feature of the modern computing experience. Many adware applications, in addition to causing advertising content to unexpected be displayed, can also include tracking functionalities similar to those common in spyware.
- The following presents a simplified summary in order to provide a basic understanding of some aspects of the disclosed subject matter. This summary is not an extensive overview, and it is not intended to identify key/critical elements or to delineate the scope thereof Its sole purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is presented later.
- The claimed subject matter in one aspect relates to a machine implemented system that detects malware secreted and/or hidden in plain sight on the machine. The system includes a detection component that can generate lists of all the modules loaded on the machine and thereafter can identify from the generated list a sub-set of modules common to more than a threshold number of processes. The system having identified the sub-set of modules extant in more than a threshold number of processes can utilize this subset to further thin the list by eliminating modules that are included in authentication lists supplied either by application software developers and/or by verified third-party software authenticators. The filtered list can then be prioritized based, for example, on a number of occurrences a particular module makes in the list, and thereafter the filtered and prioritized list can be forwarded to an analyst for further attention and investigation.
- In a further aspect the claimed subject matter can measure whether any version of DLL injection is being used on a machine by measuring, for example, the intersection on non-white listed DLLs across all processes, across all processes that have accepted a certain event, such as a keystroke, and by measuring whether any module ends up injected into a honey pot (e.g. a process implemented to look more vulnerable than it truly is, and to keep records of everything that happens to it) version of a common process. Additionally, the claimed subject matter can measure whether any non-whitelisted process consistently consumes resources between successive events, such as, for example, repeated keystrokes. Response to these measurements can be used together with other measurements as input to a prioritization component that decides which of a larger number of suspected malware samples is most in need of an analysts attention.
- In yet a further aspect of the subject matter as claimed, measurements can be made on the PCs of many diverse users who happen to have suspected malware installed on their machines, wherein the measurements can be reported to a prioritization component that aggregates the information before prioritizing for dissemination to analysts.
- In another aspect of the claimed subject matter, suspected malware can be placed in a controlled environment (e.g., an emulator, a virtual machine, etc.) for study, measurements obtained from various tests carried out on the suspected malware samples, and results passed to a prioritization component that can convey prioritized lists of suspected malware to an analysts workstation for further examination.
- To the accomplishment of the foregoing and related ends, certain illustrative aspects of the disclosed and claimed subject matter are described herein in connection with the following description and the annexed drawings. These aspects are indicative, however, of but a few of the various ways in which the principles disclosed herein can be employed and is intended to include all such aspects and their equivalents. Other advantages and novel features will become apparent from the following detailed description when considered in conjunction with the drawings.
-
FIG. 1 illustrates a malware detection system in accordance with the claimed subject matter. -
FIG. 2 provides a more detailed depiction of a detection component in accordance with one aspect of the claimed subject matter. -
FIG. 3 provides a more detailed illustration of analysis component in accordance with the disclosed subject matter. -
FIG. 4 illustrates a system that employs intelligence to facilitate detection of malware in accordance with aspect of the disclosed subject matter. -
FIG. 5 provides an illustrative view of application and/or memory space assigned to applications and processes in accordance with an aspect of the claimed subject matter. -
FIG. 6 illustrates a flow diagram of a methodology that effectuates detection of malware executing on a machine in accordance with an aspect of the claimed subject matter. -
FIG. 7 provides a further methodology for detection of malware executing on a machine in accordance with an aspect of the claimed subject matter. -
FIG. 8 provides a further methodology for detection of malware executing on a machine in accordance with a further aspect of the claimed subject matter. -
FIG. 9 provides yet a further methodology for detection of malware executing on a machine in accordance with an aspect of the claimed subject matter. -
FIG. 10 depicts a methodology for detection of malware active on a machine in accordance with a further aspect of the subject matter as claimed. -
FIG. 11 illustrates a block diagram of a computer operable to execute the spyware detection architecture. -
FIG. 12 illustrates a schematic block diagram of an exemplary computing environment for processing the spyware detection architecture in accordance with another aspect. - The subject matter as claimed is now described with reference to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding thereof. It may be evident, however, that the claimed subject matter can be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate a description thereof.
- The claimed subject matter, for the purposes of clarity, simplicity of explication, and comprehension, is elucidated in terms of key-logging and/or event-logging. Nevertheless, the subject matter as claimed is not so limited, and can find application in a plethora of other malware detection mechanisms and applications. Accordingly, any and all such applicability and derivations thereof are deemed to fall within the purview of the claimed subject matter.
- Malware (e.g., spyware, adware, crimeware, fraudware, viruses, worms, and the like) generally attempts to conceal itself. Typically, malware authors go to great lengths to conceal the presence of their creations and more particularly the fact that such code is executing. Nevertheless, depending on the level of sophistication of the user there are various attributes that can reveal the fact that malware is resident and active on a machine. For example, a user can instantiate a system utility (e.g., Task Manager, Process Manager, Session Manager, etc.) to investigate active processes, threads, applications, and programs. Such investigation can reveal processes that the user does not recognize and as such provide indication that these processes might be malware.
- As stated above, many, if not all, malware authors go to considerable lengths to ensure that their version of malware is concealed and is virtually undetectable by the uninitiated. For example, malware typically does not openly execute as “eventlogger.exe”, “malware.exe”, “spyware.exe”, “adware.exe”, and/or “crimeware.exe” per se. Thus, unless the malware author is careless, it is highly improbable that casual perusal of the system utility will expose the existence of operative malware.
- One technique typically employed by authors of malicious processes and/or software to avoid detection and/or to conceal malware activity on a machine is a technique known as Dynamic Link Library (DLL) injection wherein a process or thread is inserted and executes in the memory space of a legitimate process. For example, a malicious process called “keylogger.exe” can launch a thread, but instead of the thread being associated with “keylogger.exe”, the thread masquerades as belonging to legitimate process “legitimate.exe”. Malicious process “keylogger.exe” once it has accomplished its goal of launching its thread can vanish, but the thread initiated by “keylogger.exe” remains active but hidden since it is inside another, potentially legitimate, process—effectively spying on the user's activities with regard to other legitimately running processes and applications. Thus, when a system utility is consulted all that can be seen to be executing are those processes that one would expect to be active. Nevertheless, legitimate process “legitimate.exe” now has an extraneous parasitic thread associated with it that the user has little or no ability to detect. For example, legitimate process “legitimate.exe” may typically execute with between 20 and 30 threads and it is unlikely that an average user would be able to detect that an additional thread is present.
- There are a number of methods of accomplishing DLL injection, the principle one being to attach to every process that loads certain modules. Typically, when processes commence execution they can load a plethora of disparate DLLs. Many of the DLLs that are loaded are system and user interface (e.g. Graphical User Interface) files, such as kernel32, user32, and the like. Authors of malicious processes and/or software can utilize this fact to associate malicious processes and/or software with these commonly loaded DLLs so that whenever a process calls one of these commonly loaded DLLs an instance of the parasitic process is loaded as well. Thus, when a legitimate process of its own accord loads a commonly loaded DLL, it unwittingly causes the malicious process (or repeated instances of the malicious process) to be introduced into the system unbidden and unasked.
- Another technique for accomplishing DLL injection is for the malicious process to attach on particular common events (e.g., keystrokes, mouse clicks, right-mouse clicks, left-mouse clicks, etc.). For example, when a legitimate process accepts a keystroke, then the process that has a window open that accepted the keystroke will have associated thereto an instance of the malicious process DLL. There are mechanisms that malicious processes have for inserting a DLL into an executing process, when the insertion takes place or depending on how the author of malicious processes and/or software implemented the point of insertion, the malicious process can be started upon specific events occurring. As persons of reasonable skill in the art will readily recognize there are a multiplicity of event handlers (e.g. listening for particular external events, user action and/or user inaction, etc.) associated with a typical operating system environment. Consequently, when a particular event occurs (e.g., when a key is pressed, when combination of keys is depressed, a mouse is moved, a mouse button clicked, a mouse button double clicked, etc.) code is executed every time that event occurs.
- A further method for accomplishing malicious process insertion targets specific processes wherein the author of malicious software and/or processes creates a thread executing in a particular legitimate process. This is a very targeted and selective approach in that the malicious process thread typically only runs in the specific process to which it is directed. The benefit to the author of malicious software and/or processes is that the malicious process code has a much lower footprint; better to avoid detection and achieve stealth. Thus, in this scenario the author generally targets a process and/or application that is typically beyond reproach and that have a fairly high probability of being executed on a continuous and/or periodic basis. Having identified such an application and/or process, the author inserts a single thread into the identified application and/or process.
-
FIG. 1 illustrates amalware detection system 100 that continuously, dynamically and automatically oversees, individually and/or collectively, a first processor 110 1, a second processor 110 2, through to an Nth processor 110 N, N being an integer greater than or equal to one. The first processor 110 1, the second processor 110 2, through to the Nth processor 110 N can be referred to collectively as processors 110. Processors 110 can be in operative and continuous communication withdetection component 130 viacommunication medium 120. Processors 110 can include any industrial, commercial, and/or consumer machinery with embedded, affiliated, associated and/or encapsulated processors, such as industrial automation devices, computing devices (e.g., laptops, note book computers, Personal Digital Assistants (PDAs), . . . ), cell phones, telephony equipment and/or devices, household and/or commercial appliances, etc. Processors 110 can include those of users who run a particular piece of software or participate in a particular network. Additionally, processors 110 can have associated storage, memory, etc. Further,communication medium 120 can include Ethernet, Wireless Ethernet, Wi-Fi, satellite based technologies, and the like. -
Detection component 130 continuously monitors processors 110 to detect the existence of malicious processes (e.g., spyware, adware, crimeware, fraudware, viruses, etc.).Detection component 130 can upon detecting evidence of malicious processes can analyze the instance that raised the alarm to determine with certitude whether the instance constitutes malware, and if so can direct a notification to an analyst who investigates the issue further. Additionally and/or alternatively,detection component 130 can aggregate and/or classify the instances of detected malware and provide a prioritized report (e.g., flagging and ordering those items of detected malware which pose the greatest risk to the smooth running of the machine) to the analyst for further investigation and/or remedial measures. Moreover,detection component 130 can also, if necessary, generate and create remedial signature files for dissemination to processors 110 in order to curtail the continued operation of malware on processors 110. -
FIG. 2 provides a moredetailed depiction 200 ofdetection component 130. As illustrated,detection component 130 can include interface 210 that receives data related to processes, applications, threads and DLLs loaded and executed by processors 110.Interface 210 can further disseminate notifications, by way of, for example, prioritized reports, color coded lists, etc., to analyst workstations for further investigation by human intermediaries. Alternatively and/or additionally,interface 210 can trigger one or more automated responses and/or code execution. For example, if particular malicious processes have been detected in the past,interface component 210 can issue a set of commands and/or present a dialog box on further detection of the same or a similar malicious process. - On receipt of data related to processes, applications, threads and DLLs loaded and executed by processors 110,
interface 210 conveys such data toanalysis component 220 that peruses all loaded modules executing in memory space associated with processors 110 and identifies modules that may warrant further attention. Onceanalysis component 220 has located modules that might warrant further attention,analysis component 220 can persist copies of code associated with identified modules instore 240. Alternatively and/or additionally,analysis component 220 can communicate information associated with the identification tonotification component 230.Notification component 230 on receipt of the information fromanalysis component 220 can automatically and immediately generate a report (e.g. notification) that can be immediately forward to analysts workstations for further analysis by human intermediaries. Alternatively and/or additionally,notification component 230 can generate the report on periodic basis (e.g., once a month, once a week, once a day, twice a day, every four hours, etc.) wherein it is to be understood in this aspect thatnotification component 230 retrieves information previously and/or contemporaneously persisted byanalysis component 220 instore 240 and thereafter generates the necessary notifying report. -
FIG. 3 provides a moredetailed illustration 300 ofanalysis component 220 in accordance with an aspect of the claimed subject matter.Analysis component 220 can includelisting component 310,elimination component 320 andprioritization component 330.Listing component 310 obtains from processors 110 (not shown) a list of all active DLLs that are loaded in more than a threshold number (the threshold number being previously or contemporaneously supplied by human intermediary or dynamically established through use of artificial intelligence) of processes. As will be understood by those conversant in the art, processes and applications typically load DLL's for a number of purposes throughout the execution of the particular process and/or application. Thus, for example, when an application is loaded, the application can load many DLLs that can be written, for instance, by the application vendor/manufacturer, operating system supplier, parties that specialize in providing legitimate third-party add-ins, etc. In general, processes and applications will have some DLLs loaded that are specific to the process and application (e.g., written specifically by the particular application developers) and some DLLs that are common to many applications and processes (e.g., those provided by the operating system to effectuate common system tasks employed by many processes and applications). - Accordingly,
listing component 310 in one aspect generates lists of all active DLLs that are loaded in more than a threshold number of processes. For example and with reference toFIG. 5 , if three applications from different application vendors (e.g., A, I, and Q) are loaded into a particular processors memory and/or application space,listing component 310 can ascertain from the total list of loaded DLLs the set of common DLLs (e.g., Z as illustrated inFIG. 5 ) that are being utilized by all three executing applications. In other words,listing component 310 identifies the list of common DLLs that reside at the intersection of each of the respective memory spaces allocated to each application. Thus, modules that are unique to application A will not appear in the intersection list, similarly modules specific to applications I and Q also will not appear in the intersection list. Only modules that are common to all three of the illustrative applications will be identified by listingcomponent 310 as being worthy of further review and analysis. - Once
listing component 310 has ascertained a list of common modules executing with all active applications and processes, the list is provided toelimination component 320 that in conjunction with one or more white list (e.g. lists of modules provided by application vendors and/or other verifying or certifying bodies the authenticity of which is beyond reproach) eliminates those modules from the list that are known to be good (e.g., modules are eliminated based on the fact that they appear in the one or more white lists).Elimination component 320 can ascertain that a module in the list of common modules corresponds with items supplied on the white list by comparing a cryptographic hash, such as MD5 or SHA-1, of the file with the hash of files known to be good on the white list, for example. Additionally and/or alternatively, other methods which uniquely identify software can also be used. Thus, onceelimination component 320 has eliminated known good modules from the list, the modules that remain can be considered potentially unwanted modules and as such candidates for further investigation and/or immediate action based at least in part previously defined sets of commands. - It should be noted that merely because a module has been identified as being of unverified or dubious provenance is not an implication that the module is actionably bad, but rather is an indication that the module's intent and/or purpose has yet to be verified and as such required further consideration.
- Accordingly, once
elimination component 320 has whittled down the list of common modules to a list that contains modules of dubious provenance, this reduced list can be provided toprioritization component 330.Prioritization component 330 on receipt of the reduced list can provide a ranking (e.g., based on how detrimental the perceived threat from the module might be, based on the number of times a particular module finds its way onto the list, etc.) for use by notification component 230 (SeeFIG. 2 ).Prioritization component 330 additionally can accept input and measurements from many other sources ofdata 340. For example, in addition to DLL injection, measurement of other system resources used by software can be valuable toprioritization component 330. Measurements can include, for instance, registry keys written, read, and/or altered by software, files that are accessed and/or modified, etc. Measurements can be made on PCs of diverse users who happen to have the suspected malware installed and reports can be sent to a centralized prioritization component. Alternatively and/or additionally measurements can be made in a laboratory environment. In addition,prioritization component 330 can attach meta-data, or a report to each suspected malware sample that is processed. For example, the presence of DLL injection can be useful to a human analyst who will examine the sample and possibly compile anti-virus signatures as a response to the detected DLL injection. -
FIG. 4 illustrates asystem 400 that employs intelligence to facilitate detection of malware. Thesystem 400 can includeanalysis component 220 andnotification component 230, which can be substantially similar to respective components, services, network services, interfaces, and interface components described in previous figures.System 400 further includes anintelligent component 410. Theintelligent component 410 can be utilized by bothanalysis component 220 andnotification component 230 to facilitate accurately detecting, identifying and classifying malware and to further provide appropriate notifications to analysts. For example, theintelligent component 410 can infer and classify malware based on previously persisted signatures as being either benign or malignant or inimical to the smooth and secure running of processors 110, etc. Further,intelligence component 410 can employ persisted behaviors associated with previously classified malware to refine and/or vary the definitional norm for execution of various legitimate software (e.g., application and/or operating system software) and based at least in part upon these refinements and/or variations detect abnormalities of operation in such legitimate software. - It is to be understood that the
intelligent component 410 can provide for reasoning about or infer states of the system, environment, and/or user from a set of observations as captured via events and/or data. Inference can be employed to identify a specific context or action, or can generate a probability distribution over states, for example. The inference can be probabilistic—that is, the computation of a probability distribution over states of interest based on a consideration of data and events. Inference can also refer to techniques employed for composing higher-level events from a set of events and/or data. Such inference results in the construction of new events or actions from a set of observed events and/or stored event data, whether or not the events are correlated in close temporal proximity, and whether the events and data come from one or several event and data sources. Various classification (explicitly and/or implicitly trained) schemes and/or systems (e.g. support vector machines, neural networks, expert systems, Bayesian belief networks, fuzzy logic, data fusion engines . . . ) can be employed in connection with performing automatic and/or inferred action in connection with the claimed subject matter. - A classifier is a function that maps an input attribute vector, x=(x1, x2, x3, x4, xn), to a confidence that the input belongs to a class, that is, f(x)=confidence(class). Such classification can employ a probabilistic and/or statistical-based analysis (e.g., factoring into the analysis utilities and costs) to infer an action that a user desires to be automatically performed. A support vector machine (SVM) is an example of a classifier that can be employed. The SVM operates by finding a hypersurface in the space of possible inputs, which hypersurface attempts to split the triggering criteria from the non-triggering events. Intuitively, this makes the classification correct for testing data that is near, but not identical to training data. Other directed and undirected model classification approaches include, e.g., naive Bayes, Bayesian networks, decision trees, neural networks, fuzzy logic models, and probabilistic classification models providing different patterns of independence can be employed. Classification as used herein also is inclusive of statistical regression that is utilized to develop models of priority.
- In view of the exemplary systems shown and described supra, methodologies that may be implemented in accordance with the disclosed subject matter will be better appreciated with reference to the flow charts of
FIGS. 6-10 . While for purposes of simplicity of explanation, the methodologies are shown and described as a series of blocks, it is to be understood and appreciated that the claimed subject matter is not limited by the order of the blocks, as some blocks may occur in different orders and/or concurrently with other blocks from what is depicted and described herein. Moreover, not all illustrated blocks may be required to implement the methodologies described hereinafter. Additionally, it should be further appreciated that the methodologies disclosed hereinafter and throughout this specification are capable of being stored on an article of manufacture to facilitate transporting and transferring such methodologies to computers. - The claimed subject matter can be described in the general context of computer-executable instructions, such as program modules, executed by one or more components. Generally, program modules can include routines, programs, objects, data structures, etc. that perform particular tasks or implement particular abstract data types. Typically the functionality of the program modules may be combined and/or distributed as desired in various aspects.
-
FIG. 6 illustrates amethodology 600 for detecting malware executing on a machine.Method 600 commences at 602 where various and sundry processor initializations tasks and background activities are performed at which point the method proceeds to 604. At 604 the method lists all modules that have been loaded into a particular processors application and/or memory space. At 606 the method refines the lists by filtering out modules that are specific to a single application or process. At 608 the method eliminates modules that appear on white lists provided by application manufactures and/or reliable independent certification agencies. At 610 the remaining items on the list are prioritized and/or amalgamated with other lists that can have been previously generated to provide a report of modules whose provenance is questionable. At 610 the method progresses to 612 wherein the prioritized, sorted and/or amalgamated list is disseminated to analyst workstations for further investigation by human analysts. -
FIG. 7 provides afurther methodology 700 for detection of malware executing on a machine in accordance with an aspect of the claimed subject matter.Method 700 commences at 702 wherein initialization and background activities are performed. At 704 the method produces a list of all modules that have been loaded into the application and/or memory space of a particular processor. At 706 the initial generated list is trimmed by eliminating modules from the list that are specific to a particular application (e.g., those modules that are not employed by more than a threshold number of processes). At 708 the method further trims the list by eliminating modules that are included in white lists (or verification lists) obtained from software suppliers, application software providers, trusted third party certification agencies, and the like. At 710 those items that remain on the trimmed list are categorized, prioritized and/or amalgamated with other lists that can have been previously generated to provide a report of modules whose provenance is questionable. The questionable provenance of modules can be based at least in part on software code that initiated the module to load (e.g., known applications, operating system components, websites whose reputations are known, unknown, or known to be bad, etc.) At 710 the method progresses to 712 wherein the prioritized, categorized and/or amalgamated list is disseminated to analyst workstations for further investigation by human analysts. At 714 the method can, with input from an artificial intelligence engine and/or human analysts, dynamically and automatically generate a signature file (e.g. for use in detection of subsequent malware and/or mutations thereof) for use in countering instances of malware that are surreptitiously implemented on a particular machine and/or processor. -
FIG. 8 provides afurther methodology 800 for detection of malware executing on a machine in accordance with a further aspect of the claimed subject matter. At 802 multiple background initialization and activities are performed whereuponmethod 800 proceeds to 804 where a list of all modules resident in application memory space is generated. At 806 the initial list generated at 804 is truncated by focusing on modules that are common to more than a threshold number (e.g., the threshold number dynamically and automatically determined in conjunction with an artificial intelligence attribute and/or supplied by human intermediaries) of processes and where the module has associated a process that has accepted at least one event in the immediate past. For example, if one were looking to identify with specificity key-loggers, uncovering modules that have accepted keystrokes in the immediate past is definitely sensible and efficacious to the detection and subsequent elimination of such instances of malware. At 808 the method identifies, in conjunction with authentication lists obtained and/or supplied from one or more external sources (e.g., application developer, pre-analysis of source by independent third party authenticators, periodic updates from authenticated application source vendor, etc.) and/or dynamically generated by an artificial intelligence component, modules that are consonant with the obtained and/or supplied authentication lists. At 810 modules that still remain (e.g., modules requiring further scrutiny) are prioritized. Prioritization can take one or more of the following forms. Identified modules can be associated with an ordered list (e.g., the order established based at least in part on the number of times that an instance of the module has been detected within a fixed and/or arbitrary period of time, the number of times that an instance of the module has been aggregated from multiple machines, etc.), color coded list (e.g., red, amber, yellow, blue, green, and/or variants thereof), tagged with a criticality flag (e.g., critical, severe, substantial, moderate, low, etc.), and the like. The prioritized resultant list can, at 812, be subject to dissemination to analyst workstations for further examination and possible resolution by a human intermediary and/or an artificial intelligence component. -
FIG. 9 provides yet afurther methodology 900 for detection of malware executing on a machine in accordance with an aspect of the claimed subject matter. At 902 initialization processes take place after whichmethod 900 proceeds to 904. At 904 a “honey pot” process (e.g. a process that mimics a process to which malware might attach) is initiated. For example, if it is determined that malware might wish to create a remote process associated with Internet Explorer, a “honey pot” process can be created and instantiated as an instance of Internet Explorer, wherein the “honey pot” process mimics some of the functionality associated with Internet Explorer. It should be noted that the “honey pot” process merely mimics the functionality of Internet Explorer but does not necessarily provide the full suite of functionality typically associated with Internet Explorer. Thus, being a “honey pot” process an analyst initiating the “honey pot” process is aware of the limited number of modules associated with the “honey pot” process (e.g., the analyst will be aware that the total number of modules that should be loaded equals 10). Consequently, when the “honey pot” process is loaded and investigation reveals that 11 modules were loaded, the analyst can deduce that the 11th module might be associated with malware and as such can be cause for concern since the “honey pot” process itself does not have, for example, the full set extensibility and plug-in modules loaded. Accordingly, at 906 the method monitors the list and number of processes that co-exist with the “honey pot” process. At 908 modules and/or processes that appear in authentication (e.g., white lists) are removed from the list of modules being monitored. At 910 the resultant list of remaining modules and/or processes is prioritized in manners described supra. At 912 the method commences to distribute the prioritized list to analysts for further examination and possible resolution by a human intermediary and/or an artificial intelligence component. -
FIG. 10 depicts amethodology 1000 for detection of malware active on a machine in accordance with a further aspect of the subject matter as claimed. As it is recognized that occasionally malware does not employ DLL injection methodologies to effectuate malware introduction to systems and machines. Under this scenario, malware authors execute malware code openly in the task list by innocuously naming the executing malware code (e.g., plugin_helper.exe, etc.) to masquerade the true nature of the malware code and to avoid suspicion. Accordingly, for example, an event logger (e.g., key-logger) can surreptitiously record events as these events occur. Thus, every time an event occurs code is generated and executed (e.g., code could be implemented to add the occurring event to a buffer for future use, etc.). However, because recording and storing events utilizes resources, albeit minuscule, it can be difficult to entirely conceal this aspect of malware. Moreover, it is exceedingly atypical that a process will utilize resources for long and continuous durations of time (e.g., it is unusual that a process with have activity associated with it after each and every instance of an event). Therefore, by utilizing theseobservations methodology 1000 can detect malware active on a machine by performing background and initialization processes at 1002, and thereafter at 1004 and 1006 periodically and/or continuously monitoring resource consumption of a processor and maintaining a list of processes that continually consume resources over a discrete period of time (e.g., resources are consumed for every successive event that occurs regardless of the application in focus). At 1008 processes that do not consume resources between a first threshold number of events (e.g., one, two, three, four, etc.) can be eliminated. At 1010 processes that have not been removed from the list after a second threshold (or a set point) are processes that have serially consumed resources and thus need further investigation. Thus, at 1010 the list is prioritized and delivered to an analyst workstation for further examination and possible resolution by a human intermediary and/or an artificial intelligence component. - The claimed subject matter can be implemented via object oriented programming techniques. For example, each component of the system can be an object in a software routine or a component within an object. Object oriented programming shifts the emphasis of software development away from function decomposition and towards the recognition of units of software called “objects” which encapsulate both data and functions. Object Oriented Programming (OOP) objects are software entities comprising data structures and operations on data. Together, these elements enable objects to model virtually any real-world entity in terms of its characteristics, represented by its data elements, and its behavior represented by its data manipulation functions. In this way, objects can model concrete things like people and computers, and they can model abstract concepts like numbers or geometrical concepts.
- The benefit of object technology arises out of three basic principles: encapsulation, polymorphism and inheritance. Objects hide or encapsulate the internal structure of their data and the algorithms by which their functions work. Instead of exposing these implementation details, objects present interfaces that represent their abstractions cleanly with no extraneous information. Polymorphism takes encapsulation one-step further—the idea being many shapes, one interface. A software component can make a request of another component without knowing exactly what that component is. The component that receives the request interprets it and figures out according to its variables and data how to execute the request. The third principle is inheritance, which allows developers to reuse pre-existing design and code. This capability allows developers to avoid creating software from scratch. Rather, through inheritance, developers derive subclasses that inherit behaviors that the developer then customizes to meet particular needs.
- In particular, an object includes, and is characterized by, a set of data (e.g., attributes) and a set of operations (e.g. methods), that can operate on the data. Generally, an object's data is ideally changed only through the operation of the object's methods. Methods in an object are invoked by passing a message to the object (e.g., message passing). The message specifies a method name and an argument list. When the object receives the message, code associated with the named method is executed with the formal parameters of the method bound to the corresponding values in the argument list. Methods and message passing in OOP are analogous to procedures and procedure calls in procedure-oriented software environments.
- However, while procedures operate to modify and return passed parameters, methods operate to modify the internal state of the associated objects (by modifying the data contained therein). The combination of data and methods in objects is called encapsulation. Encapsulation provides for the state of an object to only be changed by well-defined methods associated with the object. When the behavior of an object is confined to such well-defined locations and interfaces, changes (e.g., code modifications) in the object will have minimal impact on the other objects and elements in the system.
- Each object is an instance of some class. A class includes a set of data attributes plus a set of allowable operations (e.g., methods) on the data attributes. As mentioned above, OOP supports inheritance—a class (called a subclass) may be derived from another class (called a base class, parent class, etc.), where the subclass inherits the data attributes and methods of the base class. The subclass may specialize the base class by adding code which overrides the data and/or methods of the base class, or which adds new data attributes and methods. Thus, inheritance represents a mechanism by which abstractions are made increasingly concrete as subclasses are created for greater levels of specialization.
- As used in this application, the terms “component” and “system” are intended to refer to a computer-related entity, either hardware, a combination of hardware and software, software, or software in execution. For example, a component can be, but is not limited to being, a process running on a processor, a processor, a hard disk drive, multiple storage drives (of optical and/or magnetic storage medium), an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a server and the server can be a component. One or more components can reside within a process and/or thread of execution, and a component can be localized on one computer and/or distributed between two or more computers.
- Artificial intelligence based systems (e.g., explicitly and/or implicitly trained classifiers) can be employed in connection with performing inference and/or probabilistic determinations and/or statistical-based determinations as in accordance with one or more aspects of the claimed subject matter as described hereinafter. As used herein, the term “inference,” “infer” or variations in form thereof refers generally to the process of reasoning about or inferring states of the system, environment, and/or user from a set of observations as captured via events and/or data. Inference can be employed to identify a specific context or action, or can generate a probability distribution over states, for example. The inference can be probabilistic—that is, the computation of a probability distribution over states of interest based on a consideration of data and events. Inference can also refer to techniques employed for composing higher-level events from a set of events and/or data. Such inference results in the construction of new events or actions from a set of observed events and/or stored event data, whether or not the events are correlated in close temporal proximity, and whether the events and data come from one or several event and data sources. Various classification schemes and/or systems (e.g., support vector machines, neural networks, expert systems, Bayesian belief networks, fuzzy logic, data fusion engines . . . ) can be employed in connection with performing automatic and/or inferred action in connection with the claimed subject matter.
- Furthermore, all or portions of the claimed subject matter may be implemented as a system, method, apparatus, or article of manufacture using standard programming and/or engineering techniques to produce software, firmware, hardware or any combination thereof to control a computer to implement the disclosed subject matter. The term “article of manufacture” as used herein is intended to encompass a computer program accessible from any computer-readable device or media. For example, computer readable media can include but are not limited to magnetic storage devices (e.g., hard disk, floppy disk, magnetic strips . . . ), optical disks (e.g., compact disk (CD), digital versatile disk (DVD) . . . ), smart cards, and flash memory devices (e.g., card, stick, key drive . . . ). Additionally it should be appreciated that a carrier wave can be employed to carry computer-readable electronic data such as those used in transmitting and receiving electronic mail or in accessing a network such as the Internet or a local area network (LAN). Of course, those skilled in the art will recognize many modifications may be made to this configuration without departing from the scope or spirit of the claimed subject matter.
- Some portions of the detailed description have been presented in terms of algorithms and/or symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and/or representations are the means employed by those cognizant in the art to most effectively convey the substance of their work to others equally skilled. An algorithm is here, generally, conceived to be a self-consistent sequence of acts leading to a desired result. The acts are those requiring physical manipulations of physical quantities. Typically, though not necessarily, these quantities take the form of electrical and/or magnetic signals capable of being stored, transferred, combined, compared, and/or otherwise manipulated.
- It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like. It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the foregoing discussion, it is appreciated that throughout the disclosed subject matter, discussions utilizing terms such as processing, computing, calculating, determining, and/or displaying, and the like, refer to the action and processes of computer systems, and/or similar consumer and/or industrial electronic devices and/or machines, that manipulate and/or transform data represented as physical (electrical and/or electronic) quantities within the computer's and/or machine's registers and memories into other data similarly represented as physical quantities within the machine and/or computer system memories or registers or other such information storage, transmission and/or display devices.
- Referring now to
FIG. 11 , there is illustrated a block diagram of a computer operable to execute the disclosed malware detection system. In order to provide additional context for various aspects thereof,FIG. 11 and the following discussion are intended to provide a brief, general description of asuitable computing environment 1100 in which the various aspects of the claimed subject matter can be implemented. While the description above is in the general context of computer-executable instructions that may run on one or more computers, those skilled in the art will recognize that the subject matter as claimed also can be implemented in combination with other program modules and/or as a combination of hardware and software. - Generally, program modules include routines, programs, components, data structures, etc., that perform particular tasks or implement particular abstract data types. Moreover, those skilled in the art will appreciate that the inventive methods can be practiced with other computer system configurations, including single-processor or multiprocessor computer systems, minicomputers, mainframe computers, as well as personal computers, hand-held computing devices, microprocessor-based or programmable consumer electronics, and the like, each of which can be operatively coupled to one or more associated devices.
- The illustrated aspects of the claimed subject matter may also be practiced in distributed computing environments where certain tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules can be located in both local and remote memory storage devices.
- A computer typically includes a variety of computer-readable media. Computer-readable media can be any available media that can be accessed by the computer and includes both volatile and non-volatile media, removable and non-removable media. By way of example, and not limitation, computer-readable media can comprise computer storage media and communication media. Computer storage media includes both volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital video disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer.
- With reference again to
FIG. 11 , theexemplary environment 1100 for implementing various aspects includes acomputer 1102, thecomputer 1102 including aprocessing unit 1104, asystem memory 1106 and asystem bus 1108. Thesystem bus 1108 couples system components including, but not limited to, thesystem memory 1106 to theprocessing unit 1104. Theprocessing unit 1104 can be any of various commercially available processors. Dual microprocessors and other multi-processor architectures may also be employed as theprocessing unit 1104. - The
system bus 1108 can be any of several types of bus structure that may further interconnect to a memory bus (with or without a memory controller), a peripheral bus, and a local bus using any of a variety of commercially available bus architectures. Thesystem memory 1106 includes read-only memory (ROM) 1110 and random access memory (RAM) 1112. A basic input/output system (BIOS) is stored in anon-volatile memory 1110 such as ROM, EPROM, EEPROM, which BIOS contains the basic routines that help to transfer information between elements within thecomputer 1102, such as during start-up. TheRAM 1112 can also include a high-speed RAM such as static RAM for caching data. - The
computer 1102 further includes an internal hard disk drive (HDD) 1114 (e.g., EIDE, SATA), which internalhard disk drive 1114 may also be configured for external use in a suitable chassis (not shown), a magnetic floppy disk drive (FDD) 1116, (e.g., to read from or write to a removable diskette 1118) and anoptical disk drive 1120, (e.g., reading a CD-ROM disk 1122 or, to read from or write to other high capacity optical media such as the DVD). Thehard disk drive 1114,magnetic disk drive 1116 andoptical disk drive 1120 can be connected to thesystem bus 1108 by a harddisk drive interface 1124, a magneticdisk drive interface 1126 and anoptical drive interface 1128, respectively. Theinterface 1124 for external drive implementations includes at least one or both of Universal Serial Bus (USB) and IEEE 1394 interface technologies. Other external drive connection technologies are within contemplation of the claimed subject matter. - The drives and their associated computer-readable media provide nonvolatile storage of data, data structures, computer-executable instructions, and so forth. For the
computer 1102, the drives and media accommodate the storage of any data in a suitable digital format. Although the description of computer-readable media above refers to a HDD, a removable magnetic diskette, and a removable optical media such as a CD or DVD, it should be appreciated by those skilled in the art that other types of media which are readable by a computer, such as zip drives, magnetic cassettes, flash memory cards, cartridges, and the like, may also be used in the exemplary operating environment, and further, that any such media may contain computer-executable instructions for performing the methods of the disclosed and claimed subject matter. - A number of program modules can be stored in the drives and
RAM 1112, including anoperating system 1130, one ormore application programs 1132,other program modules 1134 andprogram data 1136. All or portions of the operating system, applications, modules, and/or data can also be cached in theRAM 1112. It is to be appreciated that the claimed subject matter can be implemented with various commercially available operating systems or combinations of operating systems. - A user can enter commands and information into the
computer 1102 through one or more wired/wireless input devices, e.g. akeyboard 1138 and a pointing device, such as amouse 1140. Other input devices (not shown) may include a microphone, an IR remote control, a joystick, a game pad, a stylus pen, touch screen, or the like. These and other input devices are often connected to theprocessing unit 1104 through aninput device interface 1142 that is coupled to thesystem bus 1108, but can be connected by other interfaces, such as a parallel port, an IEEE 1394 serial port, a game port, a USB port, an IR interface, etc. - A
monitor 1144 or other type of display device is also connected to thesystem bus 1108 via an interface, such as avideo adapter 1146. In addition to themonitor 1144, a computer typically includes other peripheral output devices (not shown), such as speakers, printers, etc. - The
computer 1102 may operate in a networked environment using logical connections via wired and/or wireless communications to one or more remote computers, such as a remote computer(s) 1148. The remote computer(s) 1148 can be a workstation, a server computer, a router, a personal computer, portable computer, microprocessor-based entertainment appliance, a peer device or other common network node, and typically includes many or all of the elements described relative to thecomputer 1102, although, for purposes of brevity, only a memory/storage device 1150 is illustrated. The logical connections depicted include wired/wireless connectivity to a local area network (LAN) 1152 and/or larger networks, e.g., a wide area network (WAN) 1154. Such LAN and WAN networking environments are commonplace in offices and companies, and facilitate enterprise-wide computer networks, such as intranets, all of which may connect to a global communications network, e.g., the Internet. - When used in a LAN networking environment, the
computer 1102 is connected to thelocal network 1152 through a wired and/or wireless communication network interface oradapter 1156. Theadaptor 1156 may facilitate wired or wireless communication to theLAN 1152, which may also include a wireless access point disposed thereon for communicating with thewireless adaptor 1156. - When used in a WAN networking environment, the
computer 1102 can include amodem 1158, or is connected to a communications server on theWAN 1154, or has other means for establishing communications over theWAN 1154, such as by way of the Internet. Themodem 1158, which can be internal or external and a wired or wireless device, is connected to thesystem bus 1108 via theserial port interface 1142. In a networked environment, program modules depicted relative to thecomputer 1102, or portions thereof, can be stored in the remote memory/storage device 1150. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers can be used. - The
computer 1102 is operable to communicate with any wireless devices or entities operatively disposed in wireless communication, e.g., a printer, scanner, desktop and/or portable computer, portable data assistant, communications satellite, any piece of equipment or location associated with a wirelessly detectable tag (e.g., a kiosk, news stand, restroom), and telephone. This includes at least Wi-Fi and Bluetooth™ wireless technologies. Thus, the communication can be a predefined structure as with a conventional network or simply an ad hoc communication between at least two devices. - Wi-Fi, or Wireless Fidelity, allows connection to the Internet from a couch at home, a bed in a hotel room, or a conference room at work, without wires. Wi-Fi is a wireless technology similar to that used in a cell phone that enables such devices, e.g., computers, to send and receive data indoors and out; anywhere within the range of a base station. Wi-Fi networks can for example use radio technologies called IEEE 802.11x (a, b, g, etc.) to provide secure, reliable, fast wireless connectivity. Other radio technologies that can also be employed include Bluetooth, RF, and the like. A Wi-Fi network can be used to connect computers to each other, to the Internet, and to wired networks (which use IEEE 802.3 or Ethernet).
- Wi-Fi networks can operate in the unlicensed 2.4 and 5 GHz radio bands. IEEE 802.11 applies to generally to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS). IEEE 802.11a is an extension to IEEE 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5 GHz band. IEEE 802.11a uses an orthogonal frequency division multiplexing (OFDM) encoding scheme rather than FHSS or DSSS. IEEE 802.11b (also referred to as 802.11 High Rate DSSS or Wi-Fi) is an extension to 802.11 that applies to wireless LANs and provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHz band. IEEE 802.11g applies to wireless LANs and provides 20+ Mbps in the 2.4 GHz band. Products can contain more than one band (e.g., dual band), so the networks can provide real-world performance similar to the basic 10BaseT or 100BaseT wired Ethernet networks used in many offices.
- Referring now to
FIG. 12 , there is illustrated a schematic block diagram of anexemplary computing environment 1200 for processing the malware detection architecture in accordance with another aspect. Thesystem 1200 includes one or more client(s) 1202. The client(s) 1202 can be hardware and/or software (e.g., threads, processes, computing devices). The client(s) 1202 can house cookie(s) and/or associated contextual information by employing the claimed subject matter, for example. - The
system 1200 also includes one or more server(s) 1204. The server(s) 1204 can also be hardware and/or software (e.g., threads, processes, computing devices). Theservers 1204 can house threads to perform transformations by employing the claimed subject matter, for example. One possible communication between aclient 1202 and aserver 1204 can be in the form of a data packet adapted to be transmitted between two or more computer processes. The data packet may include a cookie and/or associated contextual information, for example. Thesystem 1200 includes a communication framework 1206 (e.g., a global communication network such as the Internet) that can be employed to facilitate communications between the client(s) 1202 and the server(s) 1204. - Communications can be facilitated via a wired (including optical fiber) and/or wireless technology. The client(s) 1202 are operatively connected to one or more client data store(s) 1208 that can be employed to store information local to the client(s) 1202 (e.g., cookie(s) and/or associated contextual information). Similarly, the server(s) 1204 are operatively connected to one or more server data store(s) 1210 that can be employed to store information local to the
servers 1204. - What has been described above includes examples of the disclosed and claimed subject matter. It is, of course, not possible to describe every conceivable combination of components and/or methodologies, but one of ordinary skill in the art may recognize that many further combinations and permutations are possible. Accordingly, the claimed subject matter is intended to embrace all such alterations, modifications and variations that fall within the spirit and scope of the appended claims. Furthermore, to the extent that the term “includes” is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term “comprising” as “comprising” is interpreted when employed as a transitional word in a claim.
Claims (20)
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/680,136 US9021590B2 (en) | 2007-02-28 | 2007-02-28 | Spyware detection mechanism |
PCT/US2008/053508 WO2008106296A1 (en) | 2007-02-28 | 2008-02-08 | Spyware detection mechanism |
TW097105062A TWI463405B (en) | 2007-02-28 | 2008-02-13 | System, method and computer storage device for spyware detection mechanism |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/680,136 US9021590B2 (en) | 2007-02-28 | 2007-02-28 | Spyware detection mechanism |
Publications (2)
Publication Number | Publication Date |
---|---|
US20080209557A1 true US20080209557A1 (en) | 2008-08-28 |
US9021590B2 US9021590B2 (en) | 2015-04-28 |
Family
ID=39717490
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/680,136 Active 2032-09-24 US9021590B2 (en) | 2007-02-28 | 2007-02-28 | Spyware detection mechanism |
Country Status (3)
Country | Link |
---|---|
US (1) | US9021590B2 (en) |
TW (1) | TWI463405B (en) |
WO (1) | WO2008106296A1 (en) |
Cited By (202)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100031359A1 (en) * | 2008-04-14 | 2010-02-04 | Secure Computing Corporation | Probabilistic shellcode detection |
US20100100939A1 (en) * | 2008-10-21 | 2010-04-22 | Flexilis, Inc. | Secure mobile platform system |
US20100100963A1 (en) * | 2008-10-21 | 2010-04-22 | Flexilis, Inc. | System and method for attack and malware prevention |
WO2010105249A1 (en) * | 2009-03-13 | 2010-09-16 | Rutgers, The State University Of New Jersey | Systems and methods for the detection of malware |
US20100281540A1 (en) * | 2009-05-01 | 2010-11-04 | Mcafee, Inc. | Detection of code execution exploits |
US20110035802A1 (en) * | 2009-08-07 | 2011-02-10 | Microsoft Corporation | Representing virtual object priority based on relationships |
US20110047594A1 (en) * | 2008-10-21 | 2011-02-24 | Lookout, Inc., A California Corporation | System and method for mobile communication device application advisement |
US20110185429A1 (en) * | 2010-01-27 | 2011-07-28 | Mcafee, Inc. | Method and system for proactive detection of malicious shared libraries via a remote reputation system |
US20110197277A1 (en) * | 2010-02-11 | 2011-08-11 | Microsoft Corporation | System and method for prioritizing computers based on anti-malware events |
US20110271343A1 (en) * | 2010-04-28 | 2011-11-03 | Electronics And Telecommunications Research Institute | Apparatus, system and method for detecting malicious code |
EP2400387A1 (en) * | 2010-06-25 | 2011-12-28 | TuneUp Software GmbH | Method for improving the performance of computers |
US8271608B2 (en) | 2008-10-21 | 2012-09-18 | Lookout, Inc. | System and method for a mobile cross-platform software system |
WO2012162102A1 (en) * | 2011-05-24 | 2012-11-29 | Palo Alto Networks, Inc. | Malware analysis system |
US8347386B2 (en) | 2008-10-21 | 2013-01-01 | Lookout, Inc. | System and method for server-coupled malware prevention |
US8397301B2 (en) | 2009-11-18 | 2013-03-12 | Lookout, Inc. | System and method for identifying and assessing vulnerabilities on a mobile communication device |
US8467768B2 (en) | 2009-02-17 | 2013-06-18 | Lookout, Inc. | System and method for remotely securing or recovering a mobile device |
WO2013089576A1 (en) * | 2011-11-02 | 2013-06-20 | Bitdefender Ipr Management Ltd | Fuzzy whitelisting anti-malware systems and methods |
US8484739B1 (en) * | 2008-12-15 | 2013-07-09 | Symantec Corporation | Techniques for securely performing reputation based analysis using virtualization |
US8505095B2 (en) | 2008-10-21 | 2013-08-06 | Lookout, Inc. | System and method for monitoring and analyzing multiple interfaces and multiple protocols |
US8510843B2 (en) | 2008-10-21 | 2013-08-13 | Lookout, Inc. | Security status and information display system |
US8533844B2 (en) | 2008-10-21 | 2013-09-10 | Lookout, Inc. | System and method for security data collection and analysis |
US8538815B2 (en) | 2009-02-17 | 2013-09-17 | Lookout, Inc. | System and method for mobile device replacement |
US20130291109A1 (en) * | 2008-11-03 | 2013-10-31 | Fireeye, Inc. | Systems and Methods for Scheduling Analysis of Network Content for Malware |
US8627305B1 (en) * | 2009-03-24 | 2014-01-07 | Mcafee, Inc. | System, method, and computer program product for hooking code inserted into an address space of a new process |
US8655307B1 (en) | 2012-10-26 | 2014-02-18 | Lookout, Inc. | System and method for developing, updating, and using user device behavioral context models to modify user, device, and application state, settings and behavior for enhanced user security |
US8695096B1 (en) | 2011-05-24 | 2014-04-08 | Palo Alto Networks, Inc. | Automatic signature generation for malicious PDF files |
US20140137247A1 (en) * | 2012-11-09 | 2014-05-15 | International Business Machines Corporation | Limiting Information Leakage and Piracy due to Virtual Machine Cloning |
US8738765B2 (en) | 2011-06-14 | 2014-05-27 | Lookout, Inc. | Mobile device DNS optimization |
US8775333B1 (en) * | 2008-08-20 | 2014-07-08 | Symantec Corporation | Systems and methods for generating a threat classifier to determine a malicious process |
US8788881B2 (en) | 2011-08-17 | 2014-07-22 | Lookout, Inc. | System and method for mobile device push communications |
US8855599B2 (en) | 2012-12-31 | 2014-10-07 | Lookout, Inc. | Method and apparatus for auxiliary communications with mobile communications device |
US8855601B2 (en) | 2009-02-17 | 2014-10-07 | Lookout, Inc. | System and method for remotely-initiated audio communication |
CN104254845A (en) * | 2012-07-24 | 2014-12-31 | 惠普发展公司,有限责任合伙企业 | Receiving an update module by accessing a network site |
US8984628B2 (en) | 2008-10-21 | 2015-03-17 | Lookout, Inc. | System and method for adverse mobile application identification |
US8990944B1 (en) | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US8997219B2 (en) | 2008-11-03 | 2015-03-31 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US9001661B2 (en) | 2006-06-26 | 2015-04-07 | Palo Alto Networks, Inc. | Packet classification in a network security device |
US9009823B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications installed on mobile devices |
US9042876B2 (en) | 2009-02-17 | 2015-05-26 | Lookout, Inc. | System and method for uploading location information based on device movement |
US9043919B2 (en) | 2008-10-21 | 2015-05-26 | Lookout, Inc. | Crawling multiple markets and correlating |
US9165142B1 (en) * | 2013-01-30 | 2015-10-20 | Palo Alto Networks, Inc. | Malware family identification using profile signatures |
US9176843B1 (en) | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US9208215B2 (en) | 2012-12-27 | 2015-12-08 | Lookout, Inc. | User classification based on data gathered from a computing device |
US9215074B2 (en) | 2012-06-05 | 2015-12-15 | Lookout, Inc. | Expressing intent to control behavior of application components |
US9223972B1 (en) | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US9235704B2 (en) | 2008-10-21 | 2016-01-12 | Lookout, Inc. | System and method for a scanning API |
US9262635B2 (en) | 2014-02-05 | 2016-02-16 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9282109B1 (en) | 2004-04-01 | 2016-03-08 | Fireeye, Inc. | System and method for analyzing packets |
US9294501B2 (en) | 2013-09-30 | 2016-03-22 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US9300686B2 (en) | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
WO2016048070A1 (en) * | 2014-09-25 | 2016-03-31 | 주식회사 안랩 | Apparatus and method for reconstructing execution file |
US9306960B1 (en) | 2004-04-01 | 2016-04-05 | Fireeye, Inc. | Systems and methods for unauthorized activity defense |
US9306974B1 (en) | 2013-12-26 | 2016-04-05 | Fireeye, Inc. | System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits |
US9311479B1 (en) | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US9355247B1 (en) | 2013-03-13 | 2016-05-31 | Fireeye, Inc. | File extraction from memory dump for malicious content analysis |
US9363280B1 (en) | 2014-08-22 | 2016-06-07 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
US9367681B1 (en) | 2013-02-23 | 2016-06-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application |
US9374369B2 (en) | 2012-12-28 | 2016-06-21 | Lookout, Inc. | Multi-factor authentication and comprehensive login system for client-server networks |
US9398028B1 (en) | 2014-06-26 | 2016-07-19 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers |
US9424409B2 (en) | 2013-01-10 | 2016-08-23 | Lookout, Inc. | Method and system for protecting privacy and enhancing security on an electronic device |
US9432389B1 (en) | 2014-03-31 | 2016-08-30 | Fireeye, Inc. | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object |
US9430646B1 (en) | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US9438623B1 (en) | 2014-06-06 | 2016-09-06 | Fireeye, Inc. | Computer exploit detection using heap spray pattern matching |
US9438613B1 (en) | 2015-03-30 | 2016-09-06 | Fireeye, Inc. | Dynamic content activation for automated analysis of embedded objects |
US20160294849A1 (en) * | 2015-03-31 | 2016-10-06 | Juniper Networks, Inc. | Detecting suspicious files resident on a network |
US9479530B2 (en) | 2010-01-27 | 2016-10-25 | Mcafee, Inc. | Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation |
US9483644B1 (en) | 2015-03-31 | 2016-11-01 | Fireeye, Inc. | Methods for detecting file altering malware in VM based analysis |
US9495180B2 (en) | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US9536089B2 (en) | 2010-09-02 | 2017-01-03 | Mcafee, Inc. | Atomic detection and repair of kernel memory |
US9591015B1 (en) | 2014-03-28 | 2017-03-07 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US9589129B2 (en) | 2012-06-05 | 2017-03-07 | Lookout, Inc. | Determining source of side-loaded software |
US9594904B1 (en) | 2015-04-23 | 2017-03-14 | Fireeye, Inc. | Detecting malware based on reflection |
US9594912B1 (en) | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
US9626509B1 (en) | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US9628507B2 (en) | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat (APT) detection center |
US9628498B1 (en) | 2004-04-01 | 2017-04-18 | Fireeye, Inc. | System and method for bot detection |
WO2017069348A1 (en) * | 2015-10-19 | 2017-04-27 | 한국과학기술정보연구원 | Method and device for automatically verifying security event |
US9642008B2 (en) | 2013-10-25 | 2017-05-02 | Lookout, Inc. | System and method for creating and assigning a policy for a mobile communications device based on personal data |
US9661018B1 (en) | 2004-04-01 | 2017-05-23 | Fireeye, Inc. | System and method for detecting anomalous behaviors using a virtual machine environment |
US9690936B1 (en) | 2013-09-30 | 2017-06-27 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US9690933B1 (en) | 2014-12-22 | 2017-06-27 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US9690606B1 (en) | 2015-03-25 | 2017-06-27 | Fireeye, Inc. | Selective system call monitoring |
US9736179B2 (en) | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
US9747446B1 (en) | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
US9753796B2 (en) | 2013-12-06 | 2017-09-05 | Lookout, Inc. | Distributed monitoring, evaluation, and response for multiple devices |
US20170264626A1 (en) * | 2016-03-08 | 2017-09-14 | Palo Alto Networks, Inc. | Malicious http cookies detection and clustering |
US20170262629A1 (en) * | 2016-03-08 | 2017-09-14 | Palo Alto Networks, Inc. | Cookies watermarking in malware analysis |
US9773112B1 (en) | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US9779253B2 (en) | 2008-10-21 | 2017-10-03 | Lookout, Inc. | Methods and systems for sharing risk responses to improve the functioning of mobile communications devices |
US9824216B1 (en) | 2015-12-31 | 2017-11-21 | Fireeye, Inc. | Susceptible environment detection system |
US9825976B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Detection and classification of exploit kits |
US9825989B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
US9838417B1 (en) | 2014-12-30 | 2017-12-05 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US9838416B1 (en) | 2004-06-14 | 2017-12-05 | Fireeye, Inc. | System and method of detecting malicious content |
US20180063191A1 (en) * | 2016-08-31 | 2018-03-01 | Siemens Aktiengesellschaft | System and method for using a virtual honeypot in an industrial automation system and cloud connector |
US9910988B1 (en) | 2013-09-30 | 2018-03-06 | Fireeye, Inc. | Malware analysis in accordance with an analysis plan |
US9921978B1 (en) | 2013-11-08 | 2018-03-20 | Fireeye, Inc. | System and method for enhanced security of storage devices |
WO2018063756A1 (en) * | 2016-09-30 | 2018-04-05 | Intel Corporation | System, apparatus and method for performing on-demand binary analysis for detecting code reuse attacks |
US9955352B2 (en) | 2009-02-17 | 2018-04-24 | Lookout, Inc. | Methods and systems for addressing mobile communications devices that are lost or stolen but not yet reported as such |
US9973531B1 (en) | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
US9996682B2 (en) | 2015-04-24 | 2018-06-12 | Microsoft Technology Licensing, Llc | Detecting and preventing illicit use of device |
US10027690B2 (en) | 2004-04-01 | 2018-07-17 | Fireeye, Inc. | Electronic message analysis for malware detection |
US10027689B1 (en) | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US10033747B1 (en) | 2015-09-29 | 2018-07-24 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US10050998B1 (en) | 2015-12-30 | 2018-08-14 | Fireeye, Inc. | Malicious message analysis system |
US10068091B1 (en) | 2004-04-01 | 2018-09-04 | Fireeye, Inc. | System and method for malware containment |
US10075455B2 (en) | 2014-12-26 | 2018-09-11 | Fireeye, Inc. | Zero-day rotating guest image profile |
US10084813B2 (en) | 2014-06-24 | 2018-09-25 | Fireeye, Inc. | Intrusion prevention and remedy system |
US10122747B2 (en) | 2013-12-06 | 2018-11-06 | Lookout, Inc. | Response generation after distributed monitoring and evaluation of multiple devices |
US10133863B2 (en) | 2013-06-24 | 2018-11-20 | Fireeye, Inc. | Zero-day discovery system |
US10133866B1 (en) | 2015-12-30 | 2018-11-20 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US10148693B2 (en) | 2015-03-25 | 2018-12-04 | Fireeye, Inc. | Exploit detection system |
US10158664B2 (en) | 2014-07-22 | 2018-12-18 | Verisign, Inc. | Malicious code detection |
US10165000B1 (en) | 2004-04-01 | 2018-12-25 | Fireeye, Inc. | Systems and methods for malware attack prevention by intercepting flows of information |
US10169585B1 (en) | 2016-06-22 | 2019-01-01 | Fireeye, Inc. | System and methods for advanced malware detection through placement of transition events |
US10176321B2 (en) | 2015-09-22 | 2019-01-08 | Fireeye, Inc. | Leveraging behavior-based rules for malware family classification |
US10210329B1 (en) | 2015-09-30 | 2019-02-19 | Fireeye, Inc. | Method to detect application execution hijacking using memory protection |
US10218697B2 (en) | 2017-06-09 | 2019-02-26 | Lookout, Inc. | Use of device risk evaluation to manage access to services |
US10242185B1 (en) | 2014-03-21 | 2019-03-26 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US10284574B1 (en) | 2004-04-01 | 2019-05-07 | Fireeye, Inc. | System and method for threat detection and identification |
US10284575B2 (en) | 2015-11-10 | 2019-05-07 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10341365B1 (en) | 2015-12-30 | 2019-07-02 | Fireeye, Inc. | Methods and system for hiding transition events for malware detection |
US10417031B2 (en) | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US10432649B1 (en) | 2014-03-20 | 2019-10-01 | Fireeye, Inc. | System and method for classifying an object based on an aggregated behavior results |
US10447728B1 (en) | 2015-12-10 | 2019-10-15 | Fireeye, Inc. | Technique for protecting guest processes using a layered virtualization architecture |
US10454950B1 (en) | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US10462173B1 (en) | 2016-06-30 | 2019-10-29 | Fireeye, Inc. | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
US10474813B1 (en) | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US10476906B1 (en) | 2016-03-25 | 2019-11-12 | Fireeye, Inc. | System and method for managing formation and modification of a cluster within a malware detection system |
US10491627B1 (en) | 2016-09-29 | 2019-11-26 | Fireeye, Inc. | Advanced malware detection using similarity analysis |
US10503904B1 (en) | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
US10515214B1 (en) | 2013-09-30 | 2019-12-24 | Fireeye, Inc. | System and method for classifying malware within content created during analysis of a specimen |
US10523609B1 (en) | 2016-12-27 | 2019-12-31 | Fireeye, Inc. | Multi-vector malware detection and analysis |
US10528726B1 (en) | 2014-12-29 | 2020-01-07 | Fireeye, Inc. | Microvisor-based malware detection appliance architecture |
US10540494B2 (en) | 2015-05-01 | 2020-01-21 | Lookout, Inc. | Determining source of side-loaded software using an administrator server |
US10554507B1 (en) | 2017-03-30 | 2020-02-04 | Fireeye, Inc. | Multi-level control for enhanced resource and object evaluation management of malware detection system |
US10552610B1 (en) | 2016-12-22 | 2020-02-04 | Fireeye, Inc. | Adaptive virtual machine snapshot update framework for malware behavioral analysis |
US10565378B1 (en) | 2015-12-30 | 2020-02-18 | Fireeye, Inc. | Exploit of privilege detection framework |
US10572665B2 (en) | 2012-12-28 | 2020-02-25 | Fireeye, Inc. | System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events |
US10581874B1 (en) | 2015-12-31 | 2020-03-03 | Fireeye, Inc. | Malware detection system with contextual analysis |
US10581879B1 (en) | 2016-12-22 | 2020-03-03 | Fireeye, Inc. | Enhanced malware detection for generated objects |
US10587647B1 (en) | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
US10592678B1 (en) | 2016-09-09 | 2020-03-17 | Fireeye, Inc. | Secure communications between peers using a verified virtual trusted platform module |
US10601863B1 (en) | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10601848B1 (en) | 2017-06-29 | 2020-03-24 | Fireeye, Inc. | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators |
US10601865B1 (en) | 2015-09-30 | 2020-03-24 | Fireeye, Inc. | Detection of credential spearphishing attacks using email analysis |
US10637880B1 (en) | 2013-05-13 | 2020-04-28 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
US10642753B1 (en) | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US10671726B1 (en) | 2014-09-22 | 2020-06-02 | Fireeye Inc. | System and method for malware analysis using thread-level event monitoring |
US10671721B1 (en) | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10701091B1 (en) | 2013-03-15 | 2020-06-30 | Fireeye, Inc. | System and method for verifying a cyberthreat |
US10706149B1 (en) | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US10713358B2 (en) | 2013-03-15 | 2020-07-14 | Fireeye, Inc. | System and method to extract and utilize disassembly features to classify software intent |
US10715542B1 (en) | 2015-08-14 | 2020-07-14 | Fireeye, Inc. | Mobile application risk analysis |
US10728263B1 (en) | 2015-04-13 | 2020-07-28 | Fireeye, Inc. | Analytic-based security monitoring system and method |
US10726127B1 (en) | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US10740456B1 (en) | 2014-01-16 | 2020-08-11 | Fireeye, Inc. | Threat-aware architecture |
US10747872B1 (en) | 2017-09-27 | 2020-08-18 | Fireeye, Inc. | System and method for preventing malware evasion |
US10764309B2 (en) | 2018-01-31 | 2020-09-01 | Palo Alto Networks, Inc. | Context profiling for malware detection |
US10785255B1 (en) | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10791138B1 (en) | 2017-03-30 | 2020-09-29 | Fireeye, Inc. | Subscription-based malware detection |
US10798112B2 (en) | 2017-03-30 | 2020-10-06 | Fireeye, Inc. | Attribute-controlled malware detection |
US10795991B1 (en) | 2016-11-08 | 2020-10-06 | Fireeye, Inc. | Enterprise search |
US10805340B1 (en) | 2014-06-26 | 2020-10-13 | Fireeye, Inc. | Infection vector and malware tracking with an interactive user display |
US10805346B2 (en) | 2017-10-01 | 2020-10-13 | Fireeye, Inc. | Phishing attack detection |
US10817606B1 (en) | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US10826931B1 (en) | 2018-03-29 | 2020-11-03 | Fireeye, Inc. | System and method for predicting and mitigating cybersecurity system misconfigurations |
US10848521B1 (en) | 2013-03-13 | 2020-11-24 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US10846117B1 (en) | 2015-12-10 | 2020-11-24 | Fireeye, Inc. | Technique for establishing secure communication between host and guest processes of a virtualization architecture |
US10855700B1 (en) | 2017-06-29 | 2020-12-01 | Fireeye, Inc. | Post-intrusion detection of cyber-attacks during lateral movement within networks |
US10893059B1 (en) | 2016-03-31 | 2021-01-12 | Fireeye, Inc. | Verification and enhancement using detection systems located at the network periphery and endpoint devices |
US10893068B1 (en) | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US10904286B1 (en) | 2017-03-24 | 2021-01-26 | Fireeye, Inc. | Detection of phishing attacks using similarity analysis |
US10902119B1 (en) * | 2017-03-30 | 2021-01-26 | Fireeye, Inc. | Data extraction system for malware analysis |
US10929266B1 (en) | 2013-02-23 | 2021-02-23 | Fireeye, Inc. | Real-time visual playback with synchronous textual analysis log display and event/time indexing |
US10956477B1 (en) | 2018-03-30 | 2021-03-23 | Fireeye, Inc. | System and method for detecting malicious scripts through natural language processing modeling |
US11005860B1 (en) | 2017-12-28 | 2021-05-11 | Fireeye, Inc. | Method and system for efficient cybersecurity analysis of endpoint events |
US11003773B1 (en) | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
US11075930B1 (en) | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11108809B2 (en) | 2017-10-27 | 2021-08-31 | Fireeye, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
US11113086B1 (en) | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US11153341B1 (en) | 2004-04-01 | 2021-10-19 | Fireeye, Inc. | System and method for detecting malicious network content using virtual environment components |
US11159538B2 (en) | 2018-01-31 | 2021-10-26 | Palo Alto Networks, Inc. | Context for malware forensics and detection |
US11182473B1 (en) | 2018-09-13 | 2021-11-23 | Fireeye Security Holdings Us Llc | System and method for mitigating cyberattacks against processor operability by a guest process |
US11200080B1 (en) | 2015-12-11 | 2021-12-14 | Fireeye Security Holdings Us Llc | Late load technique for deploying a virtualization layer underneath a running operating system |
US11228491B1 (en) | 2018-06-28 | 2022-01-18 | Fireeye Security Holdings Us Llc | System and method for distributed cluster configuration monitoring and management |
US11240275B1 (en) | 2017-12-28 | 2022-02-01 | Fireeye Security Holdings Us Llc | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture |
US11244056B1 (en) | 2014-07-01 | 2022-02-08 | Fireeye Security Holdings Us Llc | Verification of trusted threat-aware visualization layer |
US11258806B1 (en) | 2019-06-24 | 2022-02-22 | Mandiant, Inc. | System and method for automatically associating cybersecurity intelligence to cyberthreat actors |
US11271955B2 (en) | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
US11316900B1 (en) | 2018-06-29 | 2022-04-26 | FireEye Security Holdings Inc. | System and method for automatically prioritizing rules for cyber-threat detection and mitigation |
US11314859B1 (en) | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
US11368475B1 (en) | 2018-12-21 | 2022-06-21 | Fireeye Security Holdings Us Llc | System and method for scanning remote services to locate stored objects with malware |
US11381578B1 (en) | 2009-09-30 | 2022-07-05 | Fireeye Security Holdings Us Llc | Network-based binary file extraction and analysis for malware detection |
US11392700B1 (en) | 2019-06-28 | 2022-07-19 | Fireeye Security Holdings Us Llc | System and method for supporting cross-platform data verification |
US11552986B1 (en) | 2015-12-31 | 2023-01-10 | Fireeye Security Holdings Us Llc | Cyber-security framework for application of virtual features |
US11558401B1 (en) | 2018-03-30 | 2023-01-17 | Fireeye Security Holdings Us Llc | Multi-vector malware detection data sharing system for improved detection |
US11556640B1 (en) | 2019-06-27 | 2023-01-17 | Mandiant, Inc. | Systems and methods for automated cybersecurity analysis of extracted binary string sets |
US11637862B1 (en) | 2019-09-30 | 2023-04-25 | Mandiant, Inc. | System and method for surfacing cyber-security threats with a self-learning recommendation engine |
US11763004B1 (en) | 2018-09-27 | 2023-09-19 | Fireeye Security Holdings Us Llc | System and method for bootkit detection |
US11886585B1 (en) | 2019-09-27 | 2024-01-30 | Musarubra Us Llc | System and method for identifying and mitigating cyberattacks through malicious position-independent code execution |
US11956212B2 (en) | 2021-03-31 | 2024-04-09 | Palo Alto Networks, Inc. | IoT device application workload capture |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI396994B (en) * | 2009-05-05 | 2013-05-21 | Phison Electronics Corp | Controller capable of preventing spread of computer viruses and storage system and metho thereof |
TWI396995B (en) * | 2009-07-23 | 2013-05-21 | Inst Information Industry | Method and system for cleaning malicious software and computer program product and storage medium |
US9392003B2 (en) | 2012-08-23 | 2016-07-12 | Raytheon Foreground Security, Inc. | Internet security cyber threat reporting system and method |
TWI475483B (en) * | 2012-10-19 | 2015-03-01 | Taibotics Co Ltd | A program development method for automatic apparatuses |
US9491193B2 (en) * | 2013-06-27 | 2016-11-08 | Secureage Technology, Inc. | System and method for antivirus protection |
US20190156024A1 (en) * | 2017-11-20 | 2019-05-23 | Somansa Co., Ltd. | Method and apparatus for automatically classifying malignant code on basis of malignant behavior information |
US11580219B2 (en) * | 2018-01-25 | 2023-02-14 | Mcafee, Llc | System and method for malware signature generation |
TWI703467B (en) * | 2019-08-29 | 2020-09-01 | 國立成功大學 | Industrial control trapping system and method with high interaction combination |
TWI802040B (en) * | 2021-10-08 | 2023-05-11 | 精品科技股份有限公司 | Method of application control based on file attributes |
Citations (31)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5936622A (en) * | 1997-01-16 | 1999-08-10 | International Business Machines Corporation | Method and computer program product for displaying visual threshold setting indicators and threshold activation indicators |
US6061722A (en) * | 1996-12-23 | 2000-05-09 | T E Network, Inc. | Assessing network performance without interference with normal network operations |
US20020133590A1 (en) * | 2001-03-08 | 2002-09-19 | International Business Machines Corporation | Protecting contents of computer data files from suspected intruders by renaming and hiding data files subjected to intrusion |
US20030046577A1 (en) * | 2001-08-31 | 2003-03-06 | International Business Machines Corporation | System and method for the detection of and reaction to computer hacker denial of service attacks |
US20030065926A1 (en) * | 2001-07-30 | 2003-04-03 | Schultz Matthew G. | System and methods for detection of new malicious executables |
US20050021994A1 (en) * | 2003-07-21 | 2005-01-27 | Barton Christopher Andrew | Pre-approval of computer files during a malware detection |
US6886099B1 (en) * | 2000-09-12 | 2005-04-26 | Networks Associates Technology, Inc. | Computer virus detection |
US20050204205A1 (en) * | 2004-02-26 | 2005-09-15 | Ring Sandra E. | Methodology, system, and computer readable medium for detecting operating system exploitations |
US20050268112A1 (en) * | 2004-05-28 | 2005-12-01 | Microsoft Corporation | Managing spyware and unwanted software through auto-start extensibility points |
US20060031673A1 (en) * | 2004-07-23 | 2006-02-09 | Microsoft Corporation | Method and system for detecting infection of an operating system |
US7010698B2 (en) * | 2001-02-14 | 2006-03-07 | Invicta Networks, Inc. | Systems and methods for creating a code inspection system |
US20060074896A1 (en) * | 2004-10-01 | 2006-04-06 | Steve Thomas | System and method for pestware detection and removal |
US20060075499A1 (en) * | 2004-09-27 | 2006-04-06 | Networks Associates Technology, Inc. | Virus scanner system and method with integrated spyware detection capabilities |
US20060156397A1 (en) * | 2005-01-13 | 2006-07-13 | Steven Dai | A New Anti-spy method without using scan |
US20060161987A1 (en) * | 2004-11-10 | 2006-07-20 | Guy Levy-Yurista | Detecting and remedying unauthorized computer programs |
US20060174028A1 (en) * | 2005-01-31 | 2006-08-03 | Shouyu Zhu | Method for malicious traffic recognition in IP networks with subscriber identification and notification |
US20060224927A1 (en) * | 2005-03-24 | 2006-10-05 | Farstone Tech, Inc. | Security detection system and methods regarding the same |
US20060242717A1 (en) * | 2003-07-28 | 2006-10-26 | Luke Alphey | Expression systems |
US7243373B2 (en) * | 2001-07-25 | 2007-07-10 | Mcafee, Inc. | On-access malware scanning |
US20070192855A1 (en) * | 2006-01-18 | 2007-08-16 | Microsoft Corporation | Finding phishing sites |
US20070234424A1 (en) * | 2006-03-31 | 2007-10-04 | Lucent Technologies, Inc. | Design and evaluation of a fast and robust worm detection algorithm |
US20070244877A1 (en) * | 2006-04-12 | 2007-10-18 | Battelle Memorial Institute | Tracking methods for computer-readable files |
US20080016339A1 (en) * | 2006-06-29 | 2008-01-17 | Jayant Shukla | Application Sandbox to Detect, Remove, and Prevent Malware |
US7340777B1 (en) * | 2003-03-31 | 2008-03-04 | Symantec Corporation | In memory heuristic system and method for detecting viruses |
US7383569B1 (en) * | 1998-03-02 | 2008-06-03 | Computer Associates Think, Inc. | Method and agent for the protection against the unauthorized use of computer resources |
US20080133540A1 (en) * | 2006-12-01 | 2008-06-05 | Websense, Inc. | System and method of analyzing web addresses |
US20090077664A1 (en) * | 2006-04-27 | 2009-03-19 | Stephen Dao Hui Hsu | Methods for combating malicious software |
US7512977B2 (en) * | 2003-06-11 | 2009-03-31 | Symantec Corporation | Intrustion protection system utilizing layers |
US7627758B1 (en) * | 2004-08-13 | 2009-12-01 | Juniper Networks, Inc. | Method and system for performing a security check |
US7802301B1 (en) * | 2004-12-10 | 2010-09-21 | Trend Micro, Inc. | Spyware scanning and cleaning methods and system |
US8402012B1 (en) * | 2005-11-14 | 2013-03-19 | Nvidia Corporation | System and method for determining risk of search engine results |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
RU2005115088A (en) * | 2002-11-18 | 2006-01-20 | Арм Лимитед (Gb) | MEMORY ACCESS MANAGEMENT |
TW200638236A (en) | 2005-04-22 | 2006-11-01 | Farstone Tech Inc | Protection System and method of computer security |
-
2007
- 2007-02-28 US US11/680,136 patent/US9021590B2/en active Active
-
2008
- 2008-02-08 WO PCT/US2008/053508 patent/WO2008106296A1/en active Application Filing
- 2008-02-13 TW TW097105062A patent/TWI463405B/en not_active IP Right Cessation
Patent Citations (31)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6061722A (en) * | 1996-12-23 | 2000-05-09 | T E Network, Inc. | Assessing network performance without interference with normal network operations |
US5936622A (en) * | 1997-01-16 | 1999-08-10 | International Business Machines Corporation | Method and computer program product for displaying visual threshold setting indicators and threshold activation indicators |
US7383569B1 (en) * | 1998-03-02 | 2008-06-03 | Computer Associates Think, Inc. | Method and agent for the protection against the unauthorized use of computer resources |
US6886099B1 (en) * | 2000-09-12 | 2005-04-26 | Networks Associates Technology, Inc. | Computer virus detection |
US7010698B2 (en) * | 2001-02-14 | 2006-03-07 | Invicta Networks, Inc. | Systems and methods for creating a code inspection system |
US20020133590A1 (en) * | 2001-03-08 | 2002-09-19 | International Business Machines Corporation | Protecting contents of computer data files from suspected intruders by renaming and hiding data files subjected to intrusion |
US7243373B2 (en) * | 2001-07-25 | 2007-07-10 | Mcafee, Inc. | On-access malware scanning |
US20030065926A1 (en) * | 2001-07-30 | 2003-04-03 | Schultz Matthew G. | System and methods for detection of new malicious executables |
US20030046577A1 (en) * | 2001-08-31 | 2003-03-06 | International Business Machines Corporation | System and method for the detection of and reaction to computer hacker denial of service attacks |
US7340777B1 (en) * | 2003-03-31 | 2008-03-04 | Symantec Corporation | In memory heuristic system and method for detecting viruses |
US7512977B2 (en) * | 2003-06-11 | 2009-03-31 | Symantec Corporation | Intrustion protection system utilizing layers |
US20050021994A1 (en) * | 2003-07-21 | 2005-01-27 | Barton Christopher Andrew | Pre-approval of computer files during a malware detection |
US20060242717A1 (en) * | 2003-07-28 | 2006-10-26 | Luke Alphey | Expression systems |
US20050204205A1 (en) * | 2004-02-26 | 2005-09-15 | Ring Sandra E. | Methodology, system, and computer readable medium for detecting operating system exploitations |
US20050268112A1 (en) * | 2004-05-28 | 2005-12-01 | Microsoft Corporation | Managing spyware and unwanted software through auto-start extensibility points |
US20060031673A1 (en) * | 2004-07-23 | 2006-02-09 | Microsoft Corporation | Method and system for detecting infection of an operating system |
US7627758B1 (en) * | 2004-08-13 | 2009-12-01 | Juniper Networks, Inc. | Method and system for performing a security check |
US20060075499A1 (en) * | 2004-09-27 | 2006-04-06 | Networks Associates Technology, Inc. | Virus scanner system and method with integrated spyware detection capabilities |
US20060074896A1 (en) * | 2004-10-01 | 2006-04-06 | Steve Thomas | System and method for pestware detection and removal |
US20060161987A1 (en) * | 2004-11-10 | 2006-07-20 | Guy Levy-Yurista | Detecting and remedying unauthorized computer programs |
US7802301B1 (en) * | 2004-12-10 | 2010-09-21 | Trend Micro, Inc. | Spyware scanning and cleaning methods and system |
US20060156397A1 (en) * | 2005-01-13 | 2006-07-13 | Steven Dai | A New Anti-spy method without using scan |
US20060174028A1 (en) * | 2005-01-31 | 2006-08-03 | Shouyu Zhu | Method for malicious traffic recognition in IP networks with subscriber identification and notification |
US20060224927A1 (en) * | 2005-03-24 | 2006-10-05 | Farstone Tech, Inc. | Security detection system and methods regarding the same |
US8402012B1 (en) * | 2005-11-14 | 2013-03-19 | Nvidia Corporation | System and method for determining risk of search engine results |
US20070192855A1 (en) * | 2006-01-18 | 2007-08-16 | Microsoft Corporation | Finding phishing sites |
US20070234424A1 (en) * | 2006-03-31 | 2007-10-04 | Lucent Technologies, Inc. | Design and evaluation of a fast and robust worm detection algorithm |
US20070244877A1 (en) * | 2006-04-12 | 2007-10-18 | Battelle Memorial Institute | Tracking methods for computer-readable files |
US20090077664A1 (en) * | 2006-04-27 | 2009-03-19 | Stephen Dao Hui Hsu | Methods for combating malicious software |
US20080016339A1 (en) * | 2006-06-29 | 2008-01-17 | Jayant Shukla | Application Sandbox to Detect, Remove, and Prevent Malware |
US20080133540A1 (en) * | 2006-12-01 | 2008-06-05 | Websense, Inc. | System and method of analyzing web addresses |
Non-Patent Citations (2)
Title |
---|
Kumar, Sandeep, and Eugene H. Spafford. "A generic virus scanner for C++." Computer Security Applications Conference, 1992. Proceedings., Eighth Annual. (pp.210-219). IEEE, 1992. * |
Yin, Heng, et al. "Panorama: capturing system-wide information flow for malware detection and analysis." Proceedings of the 14th ACM conference on Computer and communications security. (pp. 116-127). ACM, 2007. * |
Cited By (370)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11082435B1 (en) | 2004-04-01 | 2021-08-03 | Fireeye, Inc. | System and method for threat detection and identification |
US9282109B1 (en) | 2004-04-01 | 2016-03-08 | Fireeye, Inc. | System and method for analyzing packets |
US9516057B2 (en) | 2004-04-01 | 2016-12-06 | Fireeye, Inc. | Systems and methods for computer worm defense |
US10097573B1 (en) | 2004-04-01 | 2018-10-09 | Fireeye, Inc. | Systems and methods for malware defense |
US10068091B1 (en) | 2004-04-01 | 2018-09-04 | Fireeye, Inc. | System and method for malware containment |
US10284574B1 (en) | 2004-04-01 | 2019-05-07 | Fireeye, Inc. | System and method for threat detection and identification |
US9838411B1 (en) | 2004-04-01 | 2017-12-05 | Fireeye, Inc. | Subscriber based protection system |
US10027690B2 (en) | 2004-04-01 | 2018-07-17 | Fireeye, Inc. | Electronic message analysis for malware detection |
US9591020B1 (en) | 2004-04-01 | 2017-03-07 | Fireeye, Inc. | System and method for signature generation |
US11153341B1 (en) | 2004-04-01 | 2021-10-19 | Fireeye, Inc. | System and method for detecting malicious network content using virtual environment components |
US10165000B1 (en) | 2004-04-01 | 2018-12-25 | Fireeye, Inc. | Systems and methods for malware attack prevention by intercepting flows of information |
US11637857B1 (en) | 2004-04-01 | 2023-04-25 | Fireeye Security Holdings Us Llc | System and method for detecting malicious traffic using a virtual machine configured with a select software environment |
US9306960B1 (en) | 2004-04-01 | 2016-04-05 | Fireeye, Inc. | Systems and methods for unauthorized activity defense |
US10757120B1 (en) | 2004-04-01 | 2020-08-25 | Fireeye, Inc. | Malicious network content detection |
US9912684B1 (en) | 2004-04-01 | 2018-03-06 | Fireeye, Inc. | System and method for virtual analysis of network data |
US9628498B1 (en) | 2004-04-01 | 2017-04-18 | Fireeye, Inc. | System and method for bot detection |
US10511614B1 (en) | 2004-04-01 | 2019-12-17 | Fireeye, Inc. | Subscription based malware detection under management system control |
US9661018B1 (en) | 2004-04-01 | 2017-05-23 | Fireeye, Inc. | System and method for detecting anomalous behaviors using a virtual machine environment |
US10567405B1 (en) | 2004-04-01 | 2020-02-18 | Fireeye, Inc. | System for detecting a presence of malware from behavioral analysis |
US10623434B1 (en) | 2004-04-01 | 2020-04-14 | Fireeye, Inc. | System and method for virtual analysis of network data |
US10587636B1 (en) | 2004-04-01 | 2020-03-10 | Fireeye, Inc. | System and method for bot detection |
US9838416B1 (en) | 2004-06-14 | 2017-12-05 | Fireeye, Inc. | System and method of detecting malicious content |
US9001661B2 (en) | 2006-06-26 | 2015-04-07 | Palo Alto Networks, Inc. | Packet classification in a network security device |
US20100031359A1 (en) * | 2008-04-14 | 2010-02-04 | Secure Computing Corporation | Probabilistic shellcode detection |
US8549624B2 (en) * | 2008-04-14 | 2013-10-01 | Mcafee, Inc. | Probabilistic shellcode detection |
US8775333B1 (en) * | 2008-08-20 | 2014-07-08 | Symantec Corporation | Systems and methods for generating a threat classifier to determine a malicious process |
US9860263B2 (en) | 2008-10-21 | 2018-01-02 | Lookout, Inc. | System and method for assessing data objects on mobile communications devices |
US9996697B2 (en) | 2008-10-21 | 2018-06-12 | Lookout, Inc. | Methods and systems for blocking the installation of an application to improve the functioning of a mobile communications device |
US9100389B2 (en) | 2008-10-21 | 2015-08-04 | Lookout, Inc. | Assessing an application based on application data associated with the application |
US8533844B2 (en) | 2008-10-21 | 2013-09-10 | Lookout, Inc. | System and method for security data collection and analysis |
US10509910B2 (en) | 2008-10-21 | 2019-12-17 | Lookout, Inc. | Methods and systems for granting access to services based on a security state that varies with the severity of security events |
US8510843B2 (en) | 2008-10-21 | 2013-08-13 | Lookout, Inc. | Security status and information display system |
US8505095B2 (en) | 2008-10-21 | 2013-08-06 | Lookout, Inc. | System and method for monitoring and analyzing multiple interfaces and multiple protocols |
US9781148B2 (en) | 2008-10-21 | 2017-10-03 | Lookout, Inc. | Methods and systems for sharing risk responses between collections of mobile communications devices |
US9779253B2 (en) | 2008-10-21 | 2017-10-03 | Lookout, Inc. | Methods and systems for sharing risk responses to improve the functioning of mobile communications devices |
US8683593B2 (en) | 2008-10-21 | 2014-03-25 | Lookout, Inc. | Server-assisted analysis of data for a mobile device |
US9235704B2 (en) | 2008-10-21 | 2016-01-12 | Lookout, Inc. | System and method for a scanning API |
US10509911B2 (en) | 2008-10-21 | 2019-12-17 | Lookout, Inc. | Methods and systems for conditionally granting access to services based on the security state of the device requesting access |
US9740852B2 (en) | 2008-10-21 | 2017-08-22 | Lookout, Inc. | System and method for assessing an application to be installed on a mobile communications device |
US9223973B2 (en) | 2008-10-21 | 2015-12-29 | Lookout, Inc. | System and method for attack and malware prevention |
US8745739B2 (en) | 2008-10-21 | 2014-06-03 | Lookout, Inc. | System and method for server-coupled application re-analysis to obtain characterization assessment |
US8752176B2 (en) | 2008-10-21 | 2014-06-10 | Lookout, Inc. | System and method for server-coupled application re-analysis to obtain trust, distribution and ratings assessment |
US8381303B2 (en) | 2008-10-21 | 2013-02-19 | Kevin Patrick Mahaffey | System and method for attack and malware prevention |
US8365252B2 (en) | 2008-10-21 | 2013-01-29 | Lookout, Inc. | Providing access levels to services based on mobile device security state |
US8347386B2 (en) | 2008-10-21 | 2013-01-01 | Lookout, Inc. | System and method for server-coupled malware prevention |
US8271608B2 (en) | 2008-10-21 | 2012-09-18 | Lookout, Inc. | System and method for a mobile cross-platform software system |
US8108933B2 (en) | 2008-10-21 | 2012-01-31 | Lookout, Inc. | System and method for attack and malware prevention |
US8826441B2 (en) | 2008-10-21 | 2014-09-02 | Lookout, Inc. | Event-based security state assessment and display for mobile devices |
US9065846B2 (en) | 2008-10-21 | 2015-06-23 | Lookout, Inc. | Analyzing data gathered through different protocols |
US9245119B2 (en) | 2008-10-21 | 2016-01-26 | Lookout, Inc. | Security status assessment using mobile device security information database |
US8087067B2 (en) | 2008-10-21 | 2011-12-27 | Lookout, Inc. | Secure mobile platform system |
US8875289B2 (en) | 2008-10-21 | 2014-10-28 | Lookout, Inc. | System and method for preventing malware on a mobile communication device |
US8881292B2 (en) | 2008-10-21 | 2014-11-04 | Lookout, Inc. | Evaluating whether data is safe or malicious |
US11080407B2 (en) | 2008-10-21 | 2021-08-03 | Lookout, Inc. | Methods and systems for analyzing data after initial analyses by known good and known bad security components |
US9407640B2 (en) | 2008-10-21 | 2016-08-02 | Lookout, Inc. | Assessing a security state of a mobile communications device to determine access to specific tasks |
US10417432B2 (en) | 2008-10-21 | 2019-09-17 | Lookout, Inc. | Methods and systems for blocking potentially harmful communications to improve the functioning of an electronic device |
US9367680B2 (en) | 2008-10-21 | 2016-06-14 | Lookout, Inc. | System and method for mobile communication device application advisement |
US8984628B2 (en) | 2008-10-21 | 2015-03-17 | Lookout, Inc. | System and method for adverse mobile application identification |
US9043919B2 (en) | 2008-10-21 | 2015-05-26 | Lookout, Inc. | Crawling multiple markets and correlating |
US9344431B2 (en) | 2008-10-21 | 2016-05-17 | Lookout, Inc. | System and method for assessing an application based on data from multiple devices |
US8561144B2 (en) | 2008-10-21 | 2013-10-15 | Lookout, Inc. | Enforcing security based on a security state assessment of a mobile device |
US20100100939A1 (en) * | 2008-10-21 | 2010-04-22 | Flexilis, Inc. | Secure mobile platform system |
US8997181B2 (en) | 2008-10-21 | 2015-03-31 | Lookout, Inc. | Assessing the security state of a mobile communications device |
US20110047594A1 (en) * | 2008-10-21 | 2011-02-24 | Lookout, Inc., A California Corporation | System and method for mobile communication device application advisement |
US9294500B2 (en) | 2008-10-21 | 2016-03-22 | Lookout, Inc. | System and method for creating and applying categorization-based policy to secure a mobile communications device from access to certain data objects |
US20100100963A1 (en) * | 2008-10-21 | 2010-04-22 | Flexilis, Inc. | System and method for attack and malware prevention |
US8997219B2 (en) | 2008-11-03 | 2015-03-31 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US8990939B2 (en) * | 2008-11-03 | 2015-03-24 | Fireeye, Inc. | Systems and methods for scheduling analysis of network content for malware |
US9438622B1 (en) | 2008-11-03 | 2016-09-06 | Fireeye, Inc. | Systems and methods for analyzing malicious PDF network content |
US9954890B1 (en) | 2008-11-03 | 2018-04-24 | Fireeye, Inc. | Systems and methods for analyzing PDF documents |
US20130291109A1 (en) * | 2008-11-03 | 2013-10-31 | Fireeye, Inc. | Systems and Methods for Scheduling Analysis of Network Content for Malware |
US9118715B2 (en) | 2008-11-03 | 2015-08-25 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US8484739B1 (en) * | 2008-12-15 | 2013-07-09 | Symantec Corporation | Techniques for securely performing reputation based analysis using virtualization |
US10623960B2 (en) | 2009-02-17 | 2020-04-14 | Lookout, Inc. | Methods and systems for enhancing electronic device security by causing the device to go into a mode for lost or stolen devices |
US8467768B2 (en) | 2009-02-17 | 2013-06-18 | Lookout, Inc. | System and method for remotely securing or recovering a mobile device |
US8682400B2 (en) | 2009-02-17 | 2014-03-25 | Lookout, Inc. | Systems and methods for device broadcast of location information when battery is low |
US9179434B2 (en) | 2009-02-17 | 2015-11-03 | Lookout, Inc. | Systems and methods for locking and disabling a device in response to a request |
US8855601B2 (en) | 2009-02-17 | 2014-10-07 | Lookout, Inc. | System and method for remotely-initiated audio communication |
US10419936B2 (en) | 2009-02-17 | 2019-09-17 | Lookout, Inc. | Methods and systems for causing mobile communications devices to emit sounds with encoded information |
US9167550B2 (en) | 2009-02-17 | 2015-10-20 | Lookout, Inc. | Systems and methods for applying a security policy to a device based on location |
US9955352B2 (en) | 2009-02-17 | 2018-04-24 | Lookout, Inc. | Methods and systems for addressing mobile communications devices that are lost or stolen but not yet reported as such |
US8825007B2 (en) | 2009-02-17 | 2014-09-02 | Lookout, Inc. | Systems and methods for applying a security policy to a device based on a comparison of locations |
US9232491B2 (en) | 2009-02-17 | 2016-01-05 | Lookout, Inc. | Mobile device geolocation |
US9100925B2 (en) | 2009-02-17 | 2015-08-04 | Lookout, Inc. | Systems and methods for displaying location information of a device |
US8635109B2 (en) | 2009-02-17 | 2014-01-21 | Lookout, Inc. | System and method for providing offers for mobile devices |
US9042876B2 (en) | 2009-02-17 | 2015-05-26 | Lookout, Inc. | System and method for uploading location information based on device movement |
US8929874B2 (en) | 2009-02-17 | 2015-01-06 | Lookout, Inc. | Systems and methods for remotely controlling a lost mobile communications device |
US8774788B2 (en) | 2009-02-17 | 2014-07-08 | Lookout, Inc. | Systems and methods for transmitting a communication based on a device leaving or entering an area |
US8538815B2 (en) | 2009-02-17 | 2013-09-17 | Lookout, Inc. | System and method for mobile device replacement |
US8763127B2 (en) | 2009-03-13 | 2014-06-24 | Rutgers, The State University Of New Jersey | Systems and method for malware detection |
WO2010105249A1 (en) * | 2009-03-13 | 2010-09-16 | Rutgers, The State University Of New Jersey | Systems and methods for the detection of malware |
US8627305B1 (en) * | 2009-03-24 | 2014-01-07 | Mcafee, Inc. | System, method, and computer program product for hooking code inserted into an address space of a new process |
US20100281540A1 (en) * | 2009-05-01 | 2010-11-04 | Mcafee, Inc. | Detection of code execution exploits |
US8621626B2 (en) | 2009-05-01 | 2013-12-31 | Mcafee, Inc. | Detection of code execution exploits |
US20110035802A1 (en) * | 2009-08-07 | 2011-02-10 | Microsoft Corporation | Representing virtual object priority based on relationships |
US11381578B1 (en) | 2009-09-30 | 2022-07-05 | Fireeye Security Holdings Us Llc | Network-based binary file extraction and analysis for malware detection |
USRE46768E1 (en) | 2009-11-18 | 2018-03-27 | Lookout, Inc. | System and method for identifying and assessing vulnerabilities on a mobile communications device |
US8397301B2 (en) | 2009-11-18 | 2013-03-12 | Lookout, Inc. | System and method for identifying and assessing vulnerabilities on a mobile communication device |
USRE47757E1 (en) | 2009-11-18 | 2019-12-03 | Lookout, Inc. | System and method for identifying and assessing vulnerabilities on a mobile communications device |
USRE49634E1 (en) | 2009-11-18 | 2023-08-29 | Lookout, Inc. | System and method for determining the risk of vulnerabilities on a mobile communications device |
USRE48669E1 (en) | 2009-11-18 | 2021-08-03 | Lookout, Inc. | System and method for identifying and [assessing] remediating vulnerabilities on a mobile communications device |
US20180157836A1 (en) * | 2010-01-27 | 2018-06-07 | Mcafee, Llc | Method and system for proactive detection of malicious shared libraries via a remote reputation system |
US9886579B2 (en) * | 2010-01-27 | 2018-02-06 | Mcafee, Llc | Method and system for proactive detection of malicious shared libraries via a remote reputation system |
US8955131B2 (en) * | 2010-01-27 | 2015-02-10 | Mcafee Inc. | Method and system for proactive detection of malicious shared libraries via a remote reputation system |
US10740463B2 (en) * | 2010-01-27 | 2020-08-11 | Mcafee, Llc | Method and system for proactive detection of malicious shared libraries via a remote reputation system |
US20110185429A1 (en) * | 2010-01-27 | 2011-07-28 | Mcafee, Inc. | Method and system for proactive detection of malicious shared libraries via a remote reputation system |
US9769200B2 (en) | 2010-01-27 | 2017-09-19 | Mcafee, Inc. | Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation |
US20150113650A1 (en) * | 2010-01-27 | 2015-04-23 | Mcafee, Inc. | Method and system for proactive detection of malicious shared libraries via a remote reputation system |
US9479530B2 (en) | 2010-01-27 | 2016-10-25 | Mcafee, Inc. | Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation |
US20110197277A1 (en) * | 2010-02-11 | 2011-08-11 | Microsoft Corporation | System and method for prioritizing computers based on anti-malware events |
US8719942B2 (en) | 2010-02-11 | 2014-05-06 | Microsoft Corporation | System and method for prioritizing computers based on anti-malware events |
US20110271343A1 (en) * | 2010-04-28 | 2011-11-03 | Electronics And Telecommunications Research Institute | Apparatus, system and method for detecting malicious code |
US8955124B2 (en) * | 2010-04-28 | 2015-02-10 | Electronics And Telecommunications Research Institute | Apparatus, system and method for detecting malicious code |
US8990797B2 (en) | 2010-06-25 | 2015-03-24 | AVG Netherlands B.V. | Method for improving the performance of computers by releasing computer resources |
EP2400387A1 (en) * | 2010-06-25 | 2011-12-28 | TuneUp Software GmbH | Method for improving the performance of computers |
US9536089B2 (en) | 2010-09-02 | 2017-01-03 | Mcafee, Inc. | Atomic detection and repair of kernel memory |
US9703957B2 (en) | 2010-09-02 | 2017-07-11 | Mcafee, Inc. | Atomic detection and repair of kernel memory |
US9047441B2 (en) | 2011-05-24 | 2015-06-02 | Palo Alto Networks, Inc. | Malware analysis system |
WO2012162102A1 (en) * | 2011-05-24 | 2012-11-29 | Palo Alto Networks, Inc. | Malware analysis system |
US8695096B1 (en) | 2011-05-24 | 2014-04-08 | Palo Alto Networks, Inc. | Automatic signature generation for malicious PDF files |
US8738765B2 (en) | 2011-06-14 | 2014-05-27 | Lookout, Inc. | Mobile device DNS optimization |
US9319292B2 (en) | 2011-06-14 | 2016-04-19 | Lookout, Inc. | Client activity DNS optimization |
US10181118B2 (en) | 2011-08-17 | 2019-01-15 | Lookout, Inc. | Mobile communications device payment method utilizing location information |
US8788881B2 (en) | 2011-08-17 | 2014-07-22 | Lookout, Inc. | System and method for mobile device push communications |
US8584235B2 (en) | 2011-11-02 | 2013-11-12 | Bitdefender IPR Management Ltd. | Fuzzy whitelisting anti-malware systems and methods |
WO2013089576A1 (en) * | 2011-11-02 | 2013-06-20 | Bitdefender Ipr Management Ltd | Fuzzy whitelisting anti-malware systems and methods |
US10419222B2 (en) | 2012-06-05 | 2019-09-17 | Lookout, Inc. | Monitoring for fraudulent or harmful behavior in applications being installed on user devices |
US9215074B2 (en) | 2012-06-05 | 2015-12-15 | Lookout, Inc. | Expressing intent to control behavior of application components |
US9992025B2 (en) | 2012-06-05 | 2018-06-05 | Lookout, Inc. | Monitoring installed applications on user devices |
US9940454B2 (en) | 2012-06-05 | 2018-04-10 | Lookout, Inc. | Determining source of side-loaded software using signature of authorship |
US11336458B2 (en) | 2012-06-05 | 2022-05-17 | Lookout, Inc. | Evaluating authenticity of applications based on assessing user device context for increased security |
US9589129B2 (en) | 2012-06-05 | 2017-03-07 | Lookout, Inc. | Determining source of side-loaded software |
US10256979B2 (en) | 2012-06-05 | 2019-04-09 | Lookout, Inc. | Assessing application authenticity and performing an action in response to an evaluation result |
US9407443B2 (en) | 2012-06-05 | 2016-08-02 | Lookout, Inc. | Component analysis of software applications on computing devices |
US9864651B2 (en) | 2012-07-24 | 2018-01-09 | Hewlett-Packard Development Company, L.P. | Receiving an update code prior to completion of a boot procedure |
CN104254845A (en) * | 2012-07-24 | 2014-12-31 | 惠普发展公司,有限责任合伙企业 | Receiving an update module by accessing a network site |
US9769749B2 (en) | 2012-10-26 | 2017-09-19 | Lookout, Inc. | Modifying mobile device settings for resource conservation |
US9408143B2 (en) | 2012-10-26 | 2016-08-02 | Lookout, Inc. | System and method for using context models to control operation of a mobile communications device |
US8655307B1 (en) | 2012-10-26 | 2014-02-18 | Lookout, Inc. | System and method for developing, updating, and using user device behavioral context models to modify user, device, and application state, settings and behavior for enhanced user security |
US20140137247A1 (en) * | 2012-11-09 | 2014-05-15 | International Business Machines Corporation | Limiting Information Leakage and Piracy due to Virtual Machine Cloning |
US8782809B2 (en) | 2012-11-09 | 2014-07-15 | International Business Machines Corporation | Limiting information leakage and piracy due to virtual machine cloning |
US9208215B2 (en) | 2012-12-27 | 2015-12-08 | Lookout, Inc. | User classification based on data gathered from a computing device |
US10572665B2 (en) | 2012-12-28 | 2020-02-25 | Fireeye, Inc. | System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events |
US9374369B2 (en) | 2012-12-28 | 2016-06-21 | Lookout, Inc. | Multi-factor authentication and comprehensive login system for client-server networks |
US8855599B2 (en) | 2012-12-31 | 2014-10-07 | Lookout, Inc. | Method and apparatus for auxiliary communications with mobile communications device |
US9424409B2 (en) | 2013-01-10 | 2016-08-23 | Lookout, Inc. | Method and system for protecting privacy and enhancing security on an electronic device |
US9165142B1 (en) * | 2013-01-30 | 2015-10-20 | Palo Alto Networks, Inc. | Malware family identification using profile signatures |
US9367681B1 (en) | 2013-02-23 | 2016-06-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application |
US9792196B1 (en) | 2013-02-23 | 2017-10-17 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US9176843B1 (en) | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US10929266B1 (en) | 2013-02-23 | 2021-02-23 | Fireeye, Inc. | Real-time visual playback with synchronous textual analysis log display and event/time indexing |
US9225740B1 (en) | 2013-02-23 | 2015-12-29 | Fireeye, Inc. | Framework for iterative analysis of mobile software applications |
US9009823B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications installed on mobile devices |
US10296437B2 (en) | 2013-02-23 | 2019-05-21 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US8990944B1 (en) | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US11210390B1 (en) | 2013-03-13 | 2021-12-28 | Fireeye Security Holdings Us Llc | Multi-version application support and registration within a single operating system environment |
US10198574B1 (en) | 2013-03-13 | 2019-02-05 | Fireeye, Inc. | System and method for analysis of a memory dump associated with a potentially malicious content suspect |
US9626509B1 (en) | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US9355247B1 (en) | 2013-03-13 | 2016-05-31 | Fireeye, Inc. | File extraction from memory dump for malicious content analysis |
US10848521B1 (en) | 2013-03-13 | 2020-11-24 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US10025927B1 (en) | 2013-03-13 | 2018-07-17 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US10200384B1 (en) | 2013-03-14 | 2019-02-05 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US10122746B1 (en) | 2013-03-14 | 2018-11-06 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of malware attack |
US9430646B1 (en) | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US10812513B1 (en) | 2013-03-14 | 2020-10-20 | Fireeye, Inc. | Correlation and consolidation holistic views of analytic data pertaining to a malware attack |
US9311479B1 (en) | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US9641546B1 (en) | 2013-03-14 | 2017-05-02 | Fireeye, Inc. | Electronic device for aggregation, correlation and consolidation of analysis attributes |
US10713358B2 (en) | 2013-03-15 | 2020-07-14 | Fireeye, Inc. | System and method to extract and utilize disassembly features to classify software intent |
US10701091B1 (en) | 2013-03-15 | 2020-06-30 | Fireeye, Inc. | System and method for verifying a cyberthreat |
US9495180B2 (en) | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US10469512B1 (en) | 2013-05-10 | 2019-11-05 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US10637880B1 (en) | 2013-05-13 | 2020-04-28 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
US10133863B2 (en) | 2013-06-24 | 2018-11-20 | Fireeye, Inc. | Zero-day discovery system |
US10505956B1 (en) | 2013-06-28 | 2019-12-10 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US9888019B1 (en) | 2013-06-28 | 2018-02-06 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US9300686B2 (en) | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US10713362B1 (en) | 2013-09-30 | 2020-07-14 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
US10735458B1 (en) | 2013-09-30 | 2020-08-04 | Fireeye, Inc. | Detection center to detect targeted malware |
US9912691B2 (en) | 2013-09-30 | 2018-03-06 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US10515214B1 (en) | 2013-09-30 | 2019-12-24 | Fireeye, Inc. | System and method for classifying malware within content created during analysis of a specimen |
US10657251B1 (en) | 2013-09-30 | 2020-05-19 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US9736179B2 (en) | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
US9294501B2 (en) | 2013-09-30 | 2016-03-22 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US9910988B1 (en) | 2013-09-30 | 2018-03-06 | Fireeye, Inc. | Malware analysis in accordance with an analysis plan |
US9690936B1 (en) | 2013-09-30 | 2017-06-27 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US10218740B1 (en) | 2013-09-30 | 2019-02-26 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US11075945B2 (en) | 2013-09-30 | 2021-07-27 | Fireeye, Inc. | System, apparatus and method for reconfiguring virtual machines |
US9628507B2 (en) | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat (APT) detection center |
US10990696B2 (en) | 2013-10-25 | 2021-04-27 | Lookout, Inc. | Methods and systems for detecting attempts to access personal information on mobile communications devices |
US9642008B2 (en) | 2013-10-25 | 2017-05-02 | Lookout, Inc. | System and method for creating and assigning a policy for a mobile communications device based on personal data |
US10452862B2 (en) | 2013-10-25 | 2019-10-22 | Lookout, Inc. | System and method for creating a policy for managing personal data on a mobile communications device |
US9921978B1 (en) | 2013-11-08 | 2018-03-20 | Fireeye, Inc. | System and method for enhanced security of storage devices |
US10742676B2 (en) | 2013-12-06 | 2020-08-11 | Lookout, Inc. | Distributed monitoring and evaluation of multiple devices |
US10122747B2 (en) | 2013-12-06 | 2018-11-06 | Lookout, Inc. | Response generation after distributed monitoring and evaluation of multiple devices |
US9753796B2 (en) | 2013-12-06 | 2017-09-05 | Lookout, Inc. | Distributed monitoring, evaluation, and response for multiple devices |
US9747446B1 (en) | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
US11089057B1 (en) | 2013-12-26 | 2021-08-10 | Fireeye, Inc. | System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits |
US10467411B1 (en) | 2013-12-26 | 2019-11-05 | Fireeye, Inc. | System and method for generating a malware identifier |
US10476909B1 (en) | 2013-12-26 | 2019-11-12 | Fireeye, Inc. | System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits |
US9756074B2 (en) | 2013-12-26 | 2017-09-05 | Fireeye, Inc. | System and method for IPS and VM-based detection of suspicious objects |
US9306974B1 (en) | 2013-12-26 | 2016-04-05 | Fireeye, Inc. | System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits |
US10740456B1 (en) | 2014-01-16 | 2020-08-11 | Fireeye, Inc. | Threat-aware architecture |
US9916440B1 (en) | 2014-02-05 | 2018-03-13 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US10534906B1 (en) | 2014-02-05 | 2020-01-14 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9262635B2 (en) | 2014-02-05 | 2016-02-16 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US10432649B1 (en) | 2014-03-20 | 2019-10-01 | Fireeye, Inc. | System and method for classifying an object based on an aggregated behavior results |
US11068587B1 (en) | 2014-03-21 | 2021-07-20 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US10242185B1 (en) | 2014-03-21 | 2019-03-26 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US9787700B1 (en) | 2014-03-28 | 2017-10-10 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US10454953B1 (en) | 2014-03-28 | 2019-10-22 | Fireeye, Inc. | System and method for separated packet processing and static analysis |
US9591015B1 (en) | 2014-03-28 | 2017-03-07 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US11082436B1 (en) | 2014-03-28 | 2021-08-03 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US11297074B1 (en) | 2014-03-31 | 2022-04-05 | FireEye Security Holdings, Inc. | Dynamically remote tuning of a malware content detection system |
US10341363B1 (en) | 2014-03-31 | 2019-07-02 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US9432389B1 (en) | 2014-03-31 | 2016-08-30 | Fireeye, Inc. | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object |
US11949698B1 (en) | 2014-03-31 | 2024-04-02 | Musarubra Us Llc | Dynamically remote tuning of a malware content detection system |
US9223972B1 (en) | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US9973531B1 (en) | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
US9594912B1 (en) | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
US9438623B1 (en) | 2014-06-06 | 2016-09-06 | Fireeye, Inc. | Computer exploit detection using heap spray pattern matching |
US10084813B2 (en) | 2014-06-24 | 2018-09-25 | Fireeye, Inc. | Intrusion prevention and remedy system |
US10757134B1 (en) | 2014-06-24 | 2020-08-25 | Fireeye, Inc. | System and method for detecting and remediating a cybersecurity attack |
US9838408B1 (en) | 2014-06-26 | 2017-12-05 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on direct communications between remotely hosted virtual machines and malicious web servers |
US10805340B1 (en) | 2014-06-26 | 2020-10-13 | Fireeye, Inc. | Infection vector and malware tracking with an interactive user display |
US9398028B1 (en) | 2014-06-26 | 2016-07-19 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers |
US9661009B1 (en) | 2014-06-26 | 2017-05-23 | Fireeye, Inc. | Network-based malware detection |
US11244056B1 (en) | 2014-07-01 | 2022-02-08 | Fireeye Security Holdings Us Llc | Verification of trusted threat-aware visualization layer |
US10158664B2 (en) | 2014-07-22 | 2018-12-18 | Verisign, Inc. | Malicious code detection |
US10404725B1 (en) | 2014-08-22 | 2019-09-03 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
US10027696B1 (en) | 2014-08-22 | 2018-07-17 | Fireeye, Inc. | System and method for determining a threat based on correlation of indicators of compromise from other sources |
US9609007B1 (en) | 2014-08-22 | 2017-03-28 | Fireeye, Inc. | System and method of detecting delivery of malware based on indicators of compromise from different sources |
US9363280B1 (en) | 2014-08-22 | 2016-06-07 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
US10671726B1 (en) | 2014-09-22 | 2020-06-02 | Fireeye Inc. | System and method for malware analysis using thread-level event monitoring |
WO2016048070A1 (en) * | 2014-09-25 | 2016-03-31 | 주식회사 안랩 | Apparatus and method for reconstructing execution file |
US10868818B1 (en) | 2014-09-29 | 2020-12-15 | Fireeye, Inc. | Systems and methods for generation of signature generation using interactive infection visualizations |
US10027689B1 (en) | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US9773112B1 (en) | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US9690933B1 (en) | 2014-12-22 | 2017-06-27 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US10902117B1 (en) | 2014-12-22 | 2021-01-26 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US10366231B1 (en) | 2014-12-22 | 2019-07-30 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US10075455B2 (en) | 2014-12-26 | 2018-09-11 | Fireeye, Inc. | Zero-day rotating guest image profile |
US10528726B1 (en) | 2014-12-29 | 2020-01-07 | Fireeye, Inc. | Microvisor-based malware detection appliance architecture |
US9838417B1 (en) | 2014-12-30 | 2017-12-05 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US10798121B1 (en) | 2014-12-30 | 2020-10-06 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US10148693B2 (en) | 2015-03-25 | 2018-12-04 | Fireeye, Inc. | Exploit detection system |
US10666686B1 (en) | 2015-03-25 | 2020-05-26 | Fireeye, Inc. | Virtualized exploit detection system |
US9690606B1 (en) | 2015-03-25 | 2017-06-27 | Fireeye, Inc. | Selective system call monitoring |
US9438613B1 (en) | 2015-03-30 | 2016-09-06 | Fireeye, Inc. | Dynamic content activation for automated analysis of embedded objects |
US10075453B2 (en) * | 2015-03-31 | 2018-09-11 | Juniper Networks, Inc. | Detecting suspicious files resident on a network |
US10474813B1 (en) | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US9846776B1 (en) | 2015-03-31 | 2017-12-19 | Fireeye, Inc. | System and method for detecting file altering behaviors pertaining to a malicious attack |
US9483644B1 (en) | 2015-03-31 | 2016-11-01 | Fireeye, Inc. | Methods for detecting file altering malware in VM based analysis |
US11294705B1 (en) | 2015-03-31 | 2022-04-05 | Fireeye Security Holdings Us Llc | Selective virtualization for security threat detection |
US20160294849A1 (en) * | 2015-03-31 | 2016-10-06 | Juniper Networks, Inc. | Detecting suspicious files resident on a network |
US10417031B2 (en) | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US11868795B1 (en) | 2015-03-31 | 2024-01-09 | Musarubra Us Llc | Selective virtualization for security threat detection |
US10728263B1 (en) | 2015-04-13 | 2020-07-28 | Fireeye, Inc. | Analytic-based security monitoring system and method |
US9594904B1 (en) | 2015-04-23 | 2017-03-14 | Fireeye, Inc. | Detecting malware based on reflection |
US9996682B2 (en) | 2015-04-24 | 2018-06-12 | Microsoft Technology Licensing, Llc | Detecting and preventing illicit use of device |
US10540494B2 (en) | 2015-05-01 | 2020-01-21 | Lookout, Inc. | Determining source of side-loaded software using an administrator server |
US11259183B2 (en) | 2015-05-01 | 2022-02-22 | Lookout, Inc. | Determining a security state designation for a computing device based on a source of software |
US10726127B1 (en) | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US11113086B1 (en) | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US10642753B1 (en) | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US10454950B1 (en) | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US10715542B1 (en) | 2015-08-14 | 2020-07-14 | Fireeye, Inc. | Mobile application risk analysis |
US10176321B2 (en) | 2015-09-22 | 2019-01-08 | Fireeye, Inc. | Leveraging behavior-based rules for malware family classification |
US10887328B1 (en) | 2015-09-29 | 2021-01-05 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US10033747B1 (en) | 2015-09-29 | 2018-07-24 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US9825989B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
US11244044B1 (en) | 2015-09-30 | 2022-02-08 | Fireeye Security Holdings Us Llc | Method to detect application execution hijacking using memory protection |
US10706149B1 (en) | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US9825976B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Detection and classification of exploit kits |
US10873597B1 (en) | 2015-09-30 | 2020-12-22 | Fireeye, Inc. | Cyber attack early warning system |
US10817606B1 (en) | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US10210329B1 (en) | 2015-09-30 | 2019-02-19 | Fireeye, Inc. | Method to detect application execution hijacking using memory protection |
US10601865B1 (en) | 2015-09-30 | 2020-03-24 | Fireeye, Inc. | Detection of credential spearphishing attacks using email analysis |
WO2017069348A1 (en) * | 2015-10-19 | 2017-04-27 | 한국과학기술정보연구원 | Method and device for automatically verifying security event |
US10721245B2 (en) | 2015-10-19 | 2020-07-21 | Korea Institute Of Science And Technology Information | Method and device for automatically verifying security event |
US10284575B2 (en) | 2015-11-10 | 2019-05-07 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10834107B1 (en) | 2015-11-10 | 2020-11-10 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10447728B1 (en) | 2015-12-10 | 2019-10-15 | Fireeye, Inc. | Technique for protecting guest processes using a layered virtualization architecture |
US10846117B1 (en) | 2015-12-10 | 2020-11-24 | Fireeye, Inc. | Technique for establishing secure communication between host and guest processes of a virtualization architecture |
US11200080B1 (en) | 2015-12-11 | 2021-12-14 | Fireeye Security Holdings Us Llc | Late load technique for deploying a virtualization layer underneath a running operating system |
US10872151B1 (en) | 2015-12-30 | 2020-12-22 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US10050998B1 (en) | 2015-12-30 | 2018-08-14 | Fireeye, Inc. | Malicious message analysis system |
US10565378B1 (en) | 2015-12-30 | 2020-02-18 | Fireeye, Inc. | Exploit of privilege detection framework |
US10133866B1 (en) | 2015-12-30 | 2018-11-20 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US10341365B1 (en) | 2015-12-30 | 2019-07-02 | Fireeye, Inc. | Methods and system for hiding transition events for malware detection |
US10581898B1 (en) | 2015-12-30 | 2020-03-03 | Fireeye, Inc. | Malicious message analysis system |
US10445502B1 (en) | 2015-12-31 | 2019-10-15 | Fireeye, Inc. | Susceptible environment detection system |
US9824216B1 (en) | 2015-12-31 | 2017-11-21 | Fireeye, Inc. | Susceptible environment detection system |
US11552986B1 (en) | 2015-12-31 | 2023-01-10 | Fireeye Security Holdings Us Llc | Cyber-security framework for application of virtual features |
US10581874B1 (en) | 2015-12-31 | 2020-03-03 | Fireeye, Inc. | Malware detection system with contextual analysis |
US20190384907A1 (en) * | 2016-03-08 | 2019-12-19 | Palo Alto Networks, Inc. | Cookies watermarking in malware analysis |
US10489581B2 (en) * | 2016-03-08 | 2019-11-26 | Palo Alto Networks, Inc. | Cookies watermarking in malware analysis |
US20170264626A1 (en) * | 2016-03-08 | 2017-09-14 | Palo Alto Networks, Inc. | Malicious http cookies detection and clustering |
US10853484B2 (en) * | 2016-03-08 | 2020-12-01 | Palo Alto Networks, Inc. | Cookies watermarking in malware analysis |
US20170262629A1 (en) * | 2016-03-08 | 2017-09-14 | Palo Alto Networks, Inc. | Cookies watermarking in malware analysis |
US11323466B2 (en) | 2016-03-08 | 2022-05-03 | Palo Alto Networks, Inc. | Malicious HTTP cookies detection and clustering |
US10547627B2 (en) * | 2016-03-08 | 2020-01-28 | Palo Alto Networks, Inc. | Malicious HTTP cookies detection and clustering |
US11632392B1 (en) | 2016-03-25 | 2023-04-18 | Fireeye Security Holdings Us Llc | Distributed malware detection system and submission workflow thereof |
US10601863B1 (en) | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10785255B1 (en) | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10616266B1 (en) | 2016-03-25 | 2020-04-07 | Fireeye, Inc. | Distributed malware detection system and submission workflow thereof |
US10671721B1 (en) | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10476906B1 (en) | 2016-03-25 | 2019-11-12 | Fireeye, Inc. | System and method for managing formation and modification of a cluster within a malware detection system |
US10893059B1 (en) | 2016-03-31 | 2021-01-12 | Fireeye, Inc. | Verification and enhancement using detection systems located at the network periphery and endpoint devices |
US11936666B1 (en) | 2016-03-31 | 2024-03-19 | Musarubra Us Llc | Risk analyzer for ascertaining a risk of harm to a network and generating alerts regarding the ascertained risk |
US10169585B1 (en) | 2016-06-22 | 2019-01-01 | Fireeye, Inc. | System and methods for advanced malware detection through placement of transition events |
US11240262B1 (en) | 2016-06-30 | 2022-02-01 | Fireeye Security Holdings Us Llc | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
US10462173B1 (en) | 2016-06-30 | 2019-10-29 | Fireeye, Inc. | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
US20180063191A1 (en) * | 2016-08-31 | 2018-03-01 | Siemens Aktiengesellschaft | System and method for using a virtual honeypot in an industrial automation system and cloud connector |
US10592678B1 (en) | 2016-09-09 | 2020-03-17 | Fireeye, Inc. | Secure communications between peers using a verified virtual trusted platform module |
US10491627B1 (en) | 2016-09-29 | 2019-11-26 | Fireeye, Inc. | Advanced malware detection using similarity analysis |
US20180096147A1 (en) * | 2016-09-30 | 2018-04-05 | Intel Corporation | System, apparatus and method for performing on-demand binary analysis for detecting code reuse attacks |
US10395033B2 (en) * | 2016-09-30 | 2019-08-27 | Intel Corporation | System, apparatus and method for performing on-demand binary analysis for detecting code reuse attacks |
WO2018063756A1 (en) * | 2016-09-30 | 2018-04-05 | Intel Corporation | System, apparatus and method for performing on-demand binary analysis for detecting code reuse attacks |
US10795991B1 (en) | 2016-11-08 | 2020-10-06 | Fireeye, Inc. | Enterprise search |
US10587647B1 (en) | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
US10552610B1 (en) | 2016-12-22 | 2020-02-04 | Fireeye, Inc. | Adaptive virtual machine snapshot update framework for malware behavioral analysis |
US10581879B1 (en) | 2016-12-22 | 2020-03-03 | Fireeye, Inc. | Enhanced malware detection for generated objects |
US10523609B1 (en) | 2016-12-27 | 2019-12-31 | Fireeye, Inc. | Multi-vector malware detection and analysis |
US11570211B1 (en) | 2017-03-24 | 2023-01-31 | Fireeye Security Holdings Us Llc | Detection of phishing attacks using similarity analysis |
US10904286B1 (en) | 2017-03-24 | 2021-01-26 | Fireeye, Inc. | Detection of phishing attacks using similarity analysis |
US10902119B1 (en) * | 2017-03-30 | 2021-01-26 | Fireeye, Inc. | Data extraction system for malware analysis |
US10554507B1 (en) | 2017-03-30 | 2020-02-04 | Fireeye, Inc. | Multi-level control for enhanced resource and object evaluation management of malware detection system |
US10848397B1 (en) | 2017-03-30 | 2020-11-24 | Fireeye, Inc. | System and method for enforcing compliance with subscription requirements for cyber-attack detection service |
US10798112B2 (en) | 2017-03-30 | 2020-10-06 | Fireeye, Inc. | Attribute-controlled malware detection |
US10791138B1 (en) | 2017-03-30 | 2020-09-29 | Fireeye, Inc. | Subscription-based malware detection |
US11863581B1 (en) | 2017-03-30 | 2024-01-02 | Musarubra Us Llc | Subscription-based malware detection |
US11399040B1 (en) | 2017-03-30 | 2022-07-26 | Fireeye Security Holdings Us Llc | Subscription-based malware detection |
US10218697B2 (en) | 2017-06-09 | 2019-02-26 | Lookout, Inc. | Use of device risk evaluation to manage access to services |
US11038876B2 (en) | 2017-06-09 | 2021-06-15 | Lookout, Inc. | Managing access to services based on fingerprint matching |
US10855700B1 (en) | 2017-06-29 | 2020-12-01 | Fireeye, Inc. | Post-intrusion detection of cyber-attacks during lateral movement within networks |
US10601848B1 (en) | 2017-06-29 | 2020-03-24 | Fireeye, Inc. | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators |
US10503904B1 (en) | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
US10893068B1 (en) | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US10747872B1 (en) | 2017-09-27 | 2020-08-18 | Fireeye, Inc. | System and method for preventing malware evasion |
US10805346B2 (en) | 2017-10-01 | 2020-10-13 | Fireeye, Inc. | Phishing attack detection |
US11108809B2 (en) | 2017-10-27 | 2021-08-31 | Fireeye, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
US11637859B1 (en) | 2017-10-27 | 2023-04-25 | Mandiant, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
US11240275B1 (en) | 2017-12-28 | 2022-02-01 | Fireeye Security Holdings Us Llc | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture |
US11271955B2 (en) | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
US11005860B1 (en) | 2017-12-28 | 2021-05-11 | Fireeye, Inc. | Method and system for efficient cybersecurity analysis of endpoint events |
US11949692B1 (en) | 2017-12-28 | 2024-04-02 | Google Llc | Method and system for efficient cybersecurity analysis of endpoint events |
US11949694B2 (en) | 2018-01-31 | 2024-04-02 | Palo Alto Networks, Inc. | Context for malware forensics and detection |
US11159538B2 (en) | 2018-01-31 | 2021-10-26 | Palo Alto Networks, Inc. | Context for malware forensics and detection |
US10764309B2 (en) | 2018-01-31 | 2020-09-01 | Palo Alto Networks, Inc. | Context profiling for malware detection |
US11863571B2 (en) | 2018-01-31 | 2024-01-02 | Palo Alto Networks, Inc. | Context profiling for malware detection |
US11283820B2 (en) | 2018-01-31 | 2022-03-22 | Palo Alto Networks, Inc. | Context profiling for malware detection |
US10826931B1 (en) | 2018-03-29 | 2020-11-03 | Fireeye, Inc. | System and method for predicting and mitigating cybersecurity system misconfigurations |
US11558401B1 (en) | 2018-03-30 | 2023-01-17 | Fireeye Security Holdings Us Llc | Multi-vector malware detection data sharing system for improved detection |
US10956477B1 (en) | 2018-03-30 | 2021-03-23 | Fireeye, Inc. | System and method for detecting malicious scripts through natural language processing modeling |
US11003773B1 (en) | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
US11856011B1 (en) | 2018-03-30 | 2023-12-26 | Musarubra Us Llc | Multi-vector malware detection data sharing system for improved detection |
US11075930B1 (en) | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11314859B1 (en) | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
US11882140B1 (en) | 2018-06-27 | 2024-01-23 | Musarubra Us Llc | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11228491B1 (en) | 2018-06-28 | 2022-01-18 | Fireeye Security Holdings Us Llc | System and method for distributed cluster configuration monitoring and management |
US11316900B1 (en) | 2018-06-29 | 2022-04-26 | FireEye Security Holdings Inc. | System and method for automatically prioritizing rules for cyber-threat detection and mitigation |
US11182473B1 (en) | 2018-09-13 | 2021-11-23 | Fireeye Security Holdings Us Llc | System and method for mitigating cyberattacks against processor operability by a guest process |
US11763004B1 (en) | 2018-09-27 | 2023-09-19 | Fireeye Security Holdings Us Llc | System and method for bootkit detection |
US11368475B1 (en) | 2018-12-21 | 2022-06-21 | Fireeye Security Holdings Us Llc | System and method for scanning remote services to locate stored objects with malware |
US11258806B1 (en) | 2019-06-24 | 2022-02-22 | Mandiant, Inc. | System and method for automatically associating cybersecurity intelligence to cyberthreat actors |
US11556640B1 (en) | 2019-06-27 | 2023-01-17 | Mandiant, Inc. | Systems and methods for automated cybersecurity analysis of extracted binary string sets |
US11392700B1 (en) | 2019-06-28 | 2022-07-19 | Fireeye Security Holdings Us Llc | System and method for supporting cross-platform data verification |
US11886585B1 (en) | 2019-09-27 | 2024-01-30 | Musarubra Us Llc | System and method for identifying and mitigating cyberattacks through malicious position-independent code execution |
US11637862B1 (en) | 2019-09-30 | 2023-04-25 | Mandiant, Inc. | System and method for surfacing cyber-security threats with a self-learning recommendation engine |
US11956212B2 (en) | 2021-03-31 | 2024-04-09 | Palo Alto Networks, Inc. | IoT device application workload capture |
Also Published As
Publication number | Publication date |
---|---|
US9021590B2 (en) | 2015-04-28 |
TWI463405B (en) | 2014-12-01 |
TW200842716A (en) | 2008-11-01 |
WO2008106296A1 (en) | 2008-09-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9021590B2 (en) | Spyware detection mechanism | |
US10516531B2 (en) | Key management for compromised enterprise endpoints | |
US10778725B2 (en) | Using indications of compromise for reputation based network security | |
US20220131836A1 (en) | Firewall techniques for colored objects on endpoints | |
US10673902B2 (en) | Labeling computing objects for improved threat detection | |
US10558800B2 (en) | Labeling objects on an endpoint for encryption management | |
US9930071B2 (en) | System and methods for secure utilization of attestation in policy-based decision making for mobile device management and security | |
US20180278650A1 (en) | Normalized indications of compromise | |
US20180278631A1 (en) | Threat detection using a time-based cache of reputation information on an enterprise endpoint | |
US10965711B2 (en) | Data behavioral tracking | |
US9411955B2 (en) | Server-side malware detection and classification | |
US10122742B1 (en) | Classifying software modules based on comparisons using a neighborhood distance metric | |
US11861006B2 (en) | High-confidence malware severity classification of reference file set | |
WO2016038397A1 (en) | Labeling computing objects for improved threat detection | |
Hallman et al. | Risk metrics for android (trademark) devices | |
Faruki | Techniques For Analysis And Detection Of Android Malware... | |
Xu | Anomaly Detection through System and Program Behavior Modeling | |
Yang et al. | Optimus: association-based dynamic system call filtering for container attack surface reduction | |
Lightweight | Institute for Software Research | |
Saracino et al. | Risk analysis of Android applications: A user-centric solution Gianluca Dini, Fabio Martinelli, Ilaria Matteucci, Marinella Petrocchi |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: MICROSOFT CORPORATION,WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HERLEY, CORMAC E.;KEOGH, BRIAN W.;HULETT, AARON MICHAEL;AND OTHERS;SIGNING DATES FROM 20070226 TO 20070227;REEL/FRAME:018941/0489 Owner name: MICROSOFT CORPORATION, WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HERLEY, CORMAC E.;KEOGH, BRIAN W.;HULETT, AARON MICHAEL;AND OTHERS;SIGNING DATES FROM 20070226 TO 20070227;REEL/FRAME:018941/0489 |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
AS | Assignment |
Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC, WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MICROSOFT CORPORATION;REEL/FRAME:034542/0001 Effective date: 20141014 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551) Year of fee payment: 4 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |